Method and apparatus for using mobile subscriber identification information for multiple device profiles for a device

ABSTRACT

Aspects of the subject disclosure may include, for example, a system that manages reuse of mobile subscriber identity information. Further aspects may include mobile subscriber identity information used in a device having multiple device profiles indexed, directly or indirectly, by multiple k i  (e.g. shared secret keys). Other embodiments are disclosed.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.16/154,823 filed Oct. 9, 2018, which is a continuation of U.S. patentapplication Ser. No. 15/366,161 filed Dec. 1, 2016 (now U.S. Pat. No.10,136,305). The contents of each of the foregoing are herebyincorporated by reference into this application as if set forth hereinin full.

FIELD OF THE DISCLOSURE

The subject disclosure relates to a method and apparatus for usingmobile subscriber identification information for multiple deviceprofiles for a device.

BACKGROUND

Mobile communication devices register with networks so that the devicescan provide communication services to subscribers. The registrationprocess requires exchanging messages between the mobile communicationdevice and network device(s), as well as exchanging messages betweennetwork devices.

As an example as illustrated in FIG. 1, a device can provide mobilesubscriber identification information to the network at 101 which isreceived by a registration function (e.g., a Home Location Register(HLR)). Various information can be exchanged on the network-side and ananalysis of the mobile subscriber identification information can beperformed resulting in a registration authorization being provided tothe device at 102.

BRIEF DESCRIPTION OF THE DRAWINGS

Reference will now be made to the accompanying drawings, which are notnecessarily drawn to scale, and wherein:

FIG. 1 depicts an illustrative embodiment of a registration process inthe prior art;

FIG. 2 depicts an illustrative embodiment of a system that providescommunication services and enables re-using mobile SubscriberIdentification Information by other devices;

FIGS. 3-6 depict illustrative embodiments of registration processes usedin portions of the system described in FIG. 1;

FIG. 7 depicts an illustrative embodiment of a method that providescommunication services and enables re-using mobile SubscriberIdentification Information by other devices;

FIG. 8 depicts another illustrative embodiment of a system that providescommunication services and enables re-using mobile SubscriberIdentification Information by other devices;

FIG. 9 depicts an illustrative embodiment of a communication device thatcan be utilized in either or both of the systems of FIGS. 2 and 8 and/orcan be utilized during the method of FIG. 7;

FIGS. 10-11 depict illustrative embodiments of systems that provide forreuse of mobile subscriber identification information based onregistration error messages;

FIG. 12 depicts another illustrative embodiment of a method thatprovides communication services and enables re-using mobile subscriberidentification information by other devices;

FIG. 13 depicts an illustrative embodiment of a system that provides forreassignment of mobile subscriber identification information;

FIG. 14 depicts another illustrative embodiment of a method thatprovides communication services and enables reassigning mobilesubscriber identification information to other devices;

FIG. 15 depicts an illustrative embodiment of a system that provides foruse of a same mobile subscriber identification information by more thanone communication device;

FIG. 16 depicts an illustrative embodiment of a database structure thatcan be utilized during use of a same mobile subscriber identificationinformation by more than one communication device;

FIG. 17 depicts another illustrative embodiment of a system thatprovides for use of a same mobile subscriber identification informationby more than one communication device;

FIG. 18 depicts another illustrative embodiment of a method thatprovides communication services and enables use of the same mobilesubscriber identification information by multiple communication devices;

FIGS. 19-20 depict illustrative embodiments of systems that provide foruse of a same mobile subscriber identification information by more thanone communication device at different locations;

FIG. 21 depicts another illustrative embodiment of a method thatprovides communication services and enables use of the same mobilesubscriber identification information by multiple communication devicesat different locations;

FIG. 22 depicts another illustrative embodiment of a system thatprovides for use of a same mobile subscriber identification informationby more than one communication device;

FIG. 23 depicts another illustrative embodiment of a method thatprovides communication services and enables use of the same mobilesubscriber identification information by multiple communication devices;

FIG. 24 depicts another illustrative embodiment of a system thatprovides for use of a same mobile subscriber identification informationby more than one communication device according to registration errors;

FIG. 25 depicts another illustrative embodiment of a method thatprovides communication services and enables use of the same mobilesubscriber identification information by multiple communication devicesaccording to registration errors;

FIGS. 26-27 depict illustrative embodiments of systems that provide forswitching between generic and non-generic mobile subscriberidentification information;

FIG. 28 depicts another illustrative embodiment of a method thatprovides communication services and enables use of a generic mobilesubscriber identification information by multiple communication devices;and

FIG. 29 depicts an illustrative embodiment of classifying IMSIs fordifferent devices according mobility and device location;

FIGS. 30-32 depict illustrative embodiments of reusing IMSIs accordingto mobility and location of different communication devices;

FIG. 33 depicts an illustrative embodiment of a method that reuses IMSIsaccording to mobility and location of different communication devices;

FIG. 34 depicts an illustrative embodiment of a device with an IMSIhaving multiple shared secret keys, k;

FIGS. 35-36 depict illustrative embodiments of a device registering forservices according to one of a multiple shared secret keys, k_(i) of thedevice;

FIGS. 37A-B depict illustrative embodiments of methods that use multipleshared secret keys, k_(i) associated with an IMSI of a device;

FIG. 38 is a diagrammatic representation of a machine in the form of acomputer system within which a set of instructions, when executed, maycause the machine to perform any one or more of the methods describedherein.

DETAILED DESCRIPTION

The subject disclosure describes, among other things, illustrativeembodiments for managing utilization of mobile subscriber identityinformation referred to herein as an International Mobile SubscriberIdentity (IMSI). The system and methods described herein can enablereuse of an IMSI by a different communication device and/orre-authorizing use by a communication device that previously wasauthorized to utilize the IMSI. In one or more embodiments, themanagement of the IMSI reuse can be based at least in part onintercepting registration requests and/or registration error messages.In one or more embodiments, the communication devices can be end userdevices, or other devices including Machine-to-Machine (M2M) or Internetof Things (IoT) devices. In one or more embodiments, a bootstrap IMSIcan be utilized in a registration process by a communication device thathas been flagged as inactive, where the limited use includes enablingcommunication with network elements for initiating a registrationprocess without enabling user communication services at thecommunication device utilizing the bootstrap IMSI.

In one or more embodiments, a same IMSI can be utilized by more than onecommunication device according to distinguishing between device (e.g.,during registration) based on unique device identification information.In one or more embodiments, a same IMSI can be utilized by more than onecommunication device according to the devices being located in differentregistration areas. Other embodiments are described in the subjectdisclosure.

In one or more embodiments, a same IMSI can be utilized by more than onecommunication device according to the mobility and/or device locationamong different communication devices.

One or more aspects of the subject disclosure is a device. The devicecan comprise a processing system including a processor, and a memorythat stores executable instructions that, when executed by theprocessing system, facilitate performance of operations. The operationscan include receiving an international mobile subscriber identity (IMSI)and a generated authentication response for each of a plurality ofsecret keys resulting in a plurality of generated authenticationresponses. Additional operations include associating each of theplurality of generated authentication responses with each of a pluralityof device profiles. Also, the operations include receiving aregistration request from a communication device. The registrationrequest includes a device authentication response. Further operationscan include comparing the device authentication response to the each ofthe plurality of generated authentication responses. Additionaloperations can include identifying that the device authenticationresponse matches a first generated authentication response. The firstgenerated authentication response is one of the plurality of generatedauthentication responses. Also, the operations can include identifying afirst device profile associated with the first generated authenticationresponse. The operations can further include notifying a server toprovide services to the communication device according to the firstdevice profile.

One or more aspects of the subject disclosure is a method. The methodincludes receiving, by a processing system including a processor, aninternational mobile subscriber identity (IMSI) and a plurality ofunique identifiers from an identity provisioning function. Each of theplurality of unique identifiers are associated with a registrationfunction resulting in a plurality of registration functions. Theprocessing system operates as an identity proxy function. Further, themethod includes obtaining, by the processing system, a registrationrequest from a communication device. The registration request includes afirst unique identifier of the plurality of the unique identifiers. Inaddition, the method includes steering, by the processing system, theregistration request to a first registration function of the pluralityof registration functions according to the first unique identifier.Also, the method includes providing, by the processing system, the firstunique identifier to the identity provisioning function. The identityprovisioning function identifies a first device profile according to thefirst unique identifier. Further, the identity provisioning functionsends a notification to a server that the communication device hasenabled the first device profile.

One or more aspects of the subject disclosure is a machine-readablestorage medium that facilitates performance of operations. Theoperations include receiving an international mobile subscriber identity(IMSI) and a generated authentication response for each of a pluralityof secret keys resulting in a plurality of generated authenticationresponses. Additional operations can include associating each of theplurality of generated authentication responses with each of a pluralityof device profiles. Also, the operations can include receiving aregistration request from a communication device, wherein theregistration request includes a device authentication response. Furtheroperations can include identifying a first device profile according tothe device authentication response and a first generated authenticationresponse from the plurality of generated authentication responses.Additional operations can include notifying a server to provide servicesto the communication device according to the first device profile.

FIG. 2 depicts an illustrative embodiment of a communication system 200(e.g., a Global System for Mobile Communications (GSM) system) thatprovides communication services such as to a communication device 210.The communication device 210 can be various types of devices such as amobile phone or other devices that utilize an IMSI for establishingcommunication services. The types of communication services can varyincluding voice services, video, data and/or messaging. System 200enables IMSI re-use by the same or other communication devices throughuse of an identity proxy function 250 and an identity provisioningfunction 350.

System 200 can include various components that facilitate providing thecommunication services, such as a Base Station Subsystem (BSS) thatperforms various functions (e.g., allocation of radio channels, paging,transmitting and receiving over the air interface). The BSS can includea Base Transceiver Station (BTS) 220 which can include equipment fortransmitting and receiving radio signals, antennas, and equipment forencrypting and decrypting communications with a Base Station Controller(BSC) 230. The BSC 230 can serve several different frequencies anddifferent sectors of a cell. System 200 can include a core network withother components such as a Mobile Switching Center (MSC) 240, a VisitorLocation Register (VLR) 245, a Home Location Register (HLR) 260, anAuthentication Center (AUC) 270, and an Equipment Identity Register(EIR) 270.

The MSC 240 can be a primary service delivery node that is responsiblefor routing voice calls and SMS, as well as other services, such asconference calls, FAX and circuit switched data. The VLR 245 can be adatabase of subscribers that have roamed into a jurisdiction of aparticular MSC served by that VLR. The VLR 245 is illustrated as astand-alone device but can be integrated with the MSC 240. The HLR 260can be a central database that contains details of each mobile phonesubscriber that is authorized to use the core network. In one or moreembodiments, the HLRs can store details of Universal Integrated CircuitCards (UICCs) (e.g., Subscriber Identity Module (SIM) cards) issued bythe mobile phone operator. In one or more embodiments, IMSIs can beunique identifiers which are the primary key to each HLR record. In oneor more embodiments, MSISDNs, which are the telephone numbers used bymobile phones to make and receive calls, can also be a primary key to aparticular HLR record. Other data can be stored in the HLR 260 (e.g.,indexed to a particular IMSI), such as communication services that thesubscriber has requested or is authorized to utilize, GPRS settings toallow the subscriber to access packet services, a current location ofsubscriber call divert settings applicable for each associated MSISDN,and so forth.

The AUC 270 can perform a function to authenticate each UICC thatattempts to connect to the core network (e.g., when the phone is poweredon). Once the authentication is successful, the HLR 260 can manage theUICC and authorized communication services. The EIR 280 can maintain alist of mobile phones (e.g., identified by their International MobileStation Equipment Identity (IMEI)) which are to be monitored or are tobe prohibited from utilizing the network. The EIR 280 can be a databasethat contains information about the identity of the mobile equipmentthat prevents calls from stolen, unauthorized or defective mobilestations. In one or more embodiments, the EIR 280 can log handsetattempts that are stored in a log file. The EIR 280 is illustrated as astand-alone device but can be integrated with the HLR 260. System 200can include other features such as an Operations and Maintenance Center(OMC) that enables or otherwise facilitates the operation,administration and maintenance of a GSM network.

The communication system 200 can provide Over-The-Air (OTA) technologyto communicate with, download applications to, and manage a UICC withoutbeing connected physically to the UICC. As an example, an OTA gateway280 can communicate with a Short Message Service Center (SMSC) 290 fordelivering provisioning information to the communication device 210, aswell as propagating information to other network elements. For instance,OTA gateway 280 can transform information (e.g., service requests,provisioning information, and so forth) into short messages which areprovided to the SMSC 290 for delivery to the communication device 210.In one embodiment, the OTA gateway 280 receives service requests througha gateway API that indicates the actual UICC to modify, update, and/oractivate. In one embodiment, the OTA gateway 280 can have a UICCdatabase that indicates for each UICC, the vendor, a UICC identificationnumber, the IMSI and the MSISDN. In one embodiment, the service requestcan be formatted by the OTA gateway 280 into a message that can beunderstood by the recipient UICC, such as through use of librariesaccessible to (or stored by) the OTA gateway that contain the formats touse for each brand of UICC. The resulting formatted message can then besent to the SMSC 290 for delivery.

The identity proxy function 250 can be a stand-alone device (e.g.,positioned between the BSS and the MSC 240), or can be integrated withother components of the system 200 such as being executed by a serverthat also executes the MSC/VLR functions. In one or more embodiments,the identity proxy function 250 is configured so that information (e.g.,a registration request) being sent to a registration function (e.g., theHLR 260) is intercepted or otherwise first received by the identityproxy function prior to being received by the MSC 240, the VLR 245 andthe HLR 260. The particular positioning of the identity proxy function250 with respect to other network elements can vary provided that theidentity proxy function maintains its ability to manage use and re-useof IMSIs. In one embodiment, a single identity proxy function 250 can beutilized for a set of MSC/VLR and HLR.

In another embodiment, multiple identity proxy functions 250 can beutilized for each set of MSC/VLR and HLR, where the identity proxyfunctions are positioned at various points in the core network such asbetween the BSS and the MSC 240 and between the VLR 245 and the HLR 260(shown as dashed lines in FIG. 2). In one embodiment where multipleidentity proxy functions 250 are utilized, they can communicate witheach other for implementing the management of the use and re-use of theIMSIs.

In one embodiment, an interface 255 can be established between theidentity proxy function 250 and other network components, such as theHLR 260. For example, the interface 255 can enable the identity proxyfunction 250 to communicate directly with the HLR 260 so as to bypasscommunication with the VLR. For instance and as described herein, theidentity proxy function 250 can simulate function(s) of the VLR 245 suchas SRES comparison, and the interface 255 can enable obtaining dataneeded for the SRES comparison.

System 200 can also include an identity provisioning function 350 forproviding information to various devices including the communicationdevice 210, and network element(s). In one embodiment, the identityprovisioning function 350 can maintain a listing of the designated IMSIsand can provision identity proxy functions throughout the network withthis listing. The identity provisioning function 350 can be a separatedevice that is in communication with the identity proxy function 250. Inone embodiment, the identity provisioning function 350 can provide forOTA provisioning of the communication device 210 via a registrationsimulation platform as described herein, as well as propagate otherinformation to various network elements (e.g., communicating notices ofreassigned IMSIs or other information to the HLR 260, the AUC 270 and/orthe EIR 280). In one embodiment, the identity provisioning function 350can be in communication with the OTA gateway 280 and can utilize theservices of the SMSC 290 to provision communication devices. Thefunctions performed by the identity proxy function 250 and the identityprovisioning function 350 in managing IMSI reuse can vary. In oneembodiment, the identity proxy function 250 can be utilized as a pointof IMSI screening and further determinations as to what steps should betaken to manage the particular IMSI can be made by the identityprovisioning function 350 based on a detection or screening messagereceived by the identity provisioning function 350 from the identityproxy function 250. In other embodiments, the identity proxy function250 can take a more active role in determinations of the appropriatesteps to be taken to manage the particular IMSI.

Referring to FIG. 3 which illustrates a portion of system 200 and may ormay not include intermediate network components in the message exchangepaths, the identity proxy function 250 can have access to a list ofIMSIs that are designated for potential reassignment or as havingalready been reassigned to another communication device. For instance,the identity provisioning function 350 can maintain the listing of thedesignated IMSIs at 301 and can provision identity proxy functionsthroughout the network with this listing at 302. The listing of thedesignated IMSIs can be generated based on various criteria.

This provisioning information associated with the IMSIs can be utilizedby the identity proxy function 250 to manage or otherwise facilitateregistration by communication devices and reuse of IMSIs. For example,the identity proxy function 250 can determine that an IMSI is notincluded in the listing of the designated IMSIs in which case aregistration request associated with that IMSI would be forwarded to theMSC 240 for completing a registration process.

As another example, the identity proxy function 250 can determine thatan IMSI is included in the listing of the designated IMSIs but is notincluded in the subset of IMSIs that has already been reassigned inwhich case the identity proxy function 250 would know that an originaldevice (which has been flagged as inactive) is attempting to registerwith the network. The identity proxy function 250 could then takeappropriate steps for providing service to the original device, such ascausing (e.g., via the identity provisioning function 350) reauthorizinguse of the IMSI if services are now authorized (e.g., payment ofservices has been received) or causing the providing of nullificationinformation to the original device (e.g., via the identity provisioningfunction 350, a registration simulation platform, the OTA 280 and/or theSMSC 290) to further cause use of the IMSI at the original device to bedisabled if services are not authorized or the device/UICC are notcompatible with current network service. In one or more embodiments, theidentity proxy function 250 can provide a notice to the identityprovisioning function of detection of a particular IMSI and the identityprovisioning function 350 can then take appropriate steps for managingthe reuse of IMSIs.

As another example, the identity proxy function 250 can determine thatan IMSI is included in the listing of the designated IMSIs and is alsoincluded in the subset of IMSIs (which have already been reassigned).Responsive to these determinations, a further determination can be madeas to whether the device is the original device associated with the IMSIprior to the reassignment or whether the device is the new device thathas been reassigned the IMSI. The identity proxy function 250 and/or theidentity provisioning function 350 could then take appropriate steps forallowing registration of the new device that has been reassigned theIMSI or for providing service to the original device. For instance,another IMSI can be reassigned (e.g., via the identity provisioningfunction 350) to the original device from the listing of designatedIMSIs (which has not already been reassigned) if services are nowauthorized (e.g., payment of services has been received). In anotherembodiment, nullification information can be provided to the originaldevice (e.g., via the identity provisioning function 350) to cause useof the original IMSI at the original device to be disabled, such aswhere another IMSI is to be reassigned to the original device.

In one embodiment, IMSIs can be designated for potential re-use due tosuspension of services for a subscriber such as for non-payment or foranother reason. In one embodiment, IMSIs can be designated for potentialre-use due to a lack of use of the IMSI (or the device having a UICCthat utilizes the IMSI) for a threshold time period, such as a mobilephone that has not attempted to register with a network (e.g., the GSMnetwork or some other network including LTE or UMTS) in six months. Inone embodiment, IMSIs can be designated for potential re-use accordingto a confirmation that the UICC has been damaged, lost, stolen and soforth. In one or more embodiments as the IMSIs are reassigned to otherdevices, those particular IMSIs can be further flagged as having beenreassigned (i.e., flagged as a subset of the list of designated IMSIs).The identity provisioning function 350 can keep the identity proxyfunction 250 (as well as other identity proxy functions throughout thenetwork) apprised of the list of designated IMSIs as well as the subsetof those IMSIs that have already been reassigned to anothercommunication device so that the identity proxy function 250 canaccurately perform an IMSI screening process when registration requestsare received.

Referring to FIG. 4 which illustrates a portion of system 200 and may ormay not include intermediate network components in the message exchangepaths, another communication device 410 can be reassigned an IMSI fromthe designated IMSIs where the IMSI was previously associated with thecommunication device 210 (which has been flagged as inactive). In thisexample at 401, the identity provisioning function 350 can receive arequest, be instructed or otherwise determine that the IMSI (in the listof designated IMSIs) is to be reassigned to the communication device410. The communication device 410 can be a new device that needs an IMSIto provide communication services or an existing device that requiresanother IMSI due to some other reason, such as having its own IMSIreassigned to a different device.

At 402, the identity provisioning function 350 can notify the HLR 260that the communication device 410 is now associated with the particularreassigned IMSI. This can include deleting an original IMSI assignmentfor the communication device 410 and/or adding the new IMSI assignmentfor the communication device 410 in the database of the HLR 260. In oneembodiment, this notification can cause the HLR 260 to perform adatabase update such as re-mapping to particular HLR records, adjustingmapping with respect to MSISDNs, adjusting an identification ofavailable communication services that the subscriber has requested or isauthorized to utilize, adjusting GPRS settings to allow the subscriberto access packet services, and so forth.

At 403, the identity provisioning function 350 can notify the identityproxy function 250 that the communication device 410 is now associatedwith the particular reassigned IMSI. In one embodiment, the identityproxy function 250 can already be aware that the IMSI is part of a groupof IMSIs designated for potential reassignment and can already be awarethat the communication device 210 has been flagged as inactive. In thisexample, the identity proxy function 250 can switch a designation of theparticular IMSI to being flagged as within the subset of the designatedIMSIs that have already been reassigned to another device (i.e., thecommunication device 410 in this example).

Referring to FIG. 5 which illustrates a portion of system 200 and may ormay not include intermediate network components in the message exchangepaths, the identity proxy function 250 facilitates registration ofdevices that have been reassigned IMSIs by intercepting or otherwisereceiving registration requests, such as prior to the registrationrequest being provided to the MSC 240, the VLR 245 and the HLR 260. Forexample at 501, the communication device 410 (which has been reassignedan IMSI from the listing of designated IMSIs where the IMSI waspreviously associated with the communication device 210) can requestregistration with the network. A registration request including thereassigned IMSI can be received by the identity proxy function 250 whichdetermines whether or not the particular IMSI is part of the group ofdesignated IMSIs and whether a reassignment to another device hasalready occurred. In one embodiment, the identity proxy function 250and/or the identity provisioning function 350 can identify theparticular device requesting registration with the network. Forinstance, device identification information (e.g., an IMEI) can beobtained for the communication device 410, such as being received fromdevice 410 or from another source.

At 502, if the received IMSI is determined as having already beenreassigned to another device and if the communication device 410 isdetermined to be that other device then identity proxy function 250 canforward the registration request to the MSC/VLR (or another registrationfunction server) for processing of the registration of the communicationdevice 410. At 503 and 504, messaging associated with the registrationprocess can be exchanged such as between the HLR 260, the VLR 245, theidentity proxy function 250, and/or the communication device 410.

The particular messaging that makes up the registration request and theregistration process can vary. In one embodiment, the communicationdevice 410 can send a Channel Request message to the BSS on a RandomAccess Channel (RACH) and the BSS can respond on an Access Grant Channel(AGCH) with an Immediate Assignment message while assigning a StandAlone Dedicated Control Channel (SDCCH) to the communication device 410.The communication device 410 can switch to the assigned SDCCH and cansend a Location Update Request to the BSS. The communication device 410can send its IMSI to the BSS. The BSS can forward the Location UpdateRequest/IMSI (i.e., a registration request) which is received orintercepted by the identity proxy function 250 which determines whetherthe received IMSI is already reassigned to another device and if thecommunication device 410 is that other device. If so, then theregistration request is forwarded by the identity proxy function 250 tothe MSC 240/VLR 245 which in turns forwards the registration request tothe HLR 260, along with a request for verification of the IMSI and arequest for authentication triplets (RAND, Kc, SRES). The HLR 260 canforward the IMSI to the AuC 270 and can request the authenticationtriplets. The AuC 270 can generate the authentication triplets and cansend them, along with the IMSI, back to the HLR 260. The HLR 260 canvalidate the IMSI by ensuring it is allowed on the network and it isauthorized for subscriber services. The HLR 260 can then forward theIMSI and the triplets to the VLR 245 which stores the SRES and the Kc,and can also forward the RAND to the BSS. The VLR 245 can utilize theBSS to authenticate the communication device 410. The BSS can send thecommunication device 410 an Authentication Request message with the onlyauthentication parameter being sent in the message being the RAND. Thecommunication device 410 can use the RAND to calculate the SRES and cansend the SRES back to the BSS on the SDCCH in an AuthenticationResponse. The BSS can forward the SRES to the VLR 245 which compares theSRES generated by the AuC with the SRES generated by the communicationdevice. If the SRESs match then authentication is completedsuccessfully. The exemplary embodiments can also utilize other messagingtechniques and paths for registration of the communication device 410.

In one embodiment, the VLR 245 can forward the Kc for the communicationdevice 410 to the BSS where the Kc is not sent across the air interfaceto the communication device. The BSS can store the Kc and can forward aSet Cipher Mode command to the communication device 410 where thecommand only indicates which encryption to use. The communication device410 can switch to cipher mode using the particular encryption algorithm(e.g., A5) so that all transmissions are now enciphered and can send aCiphering Mode Complete message to the BSS. The VLR 245 can send aLocation Updating Accept message to the BSS and also generate a newTemporary Mobile Subscriber Identity (TMSI) for the communicationdevice. The BSS can send the TMSI to the communication device 410 whichcan respond with a TMSI Reallocation Complete message that is forwardedto the VLR 245. The BSS can instruct the communication device 245 to gointo idle mode by sending it a Channel Release message and can thendeassign the SDCCH. The VLR 245 can send an Update Location message tothe HLR 260 which records the particular MSC/VLR the communicationdevice is currently associated with.

In one embodiment such as where the identity proxy function 250 isunable to obtain device identity information (e.g., the IMEI) for thecommunication device 410, the identity proxy function 250 can simulatethe registration process to obtain information that enables discerningwhether the communication device 410 is the device that has beenreassigned the IMSI or is the original device that was previouslyassociated with the IMSI prior to the reassignment. As an example, theidentity proxy function 250 can simulate the registration process so asto obtain an SRES generated by the communication device 410. From thatgenerated SRES, the identity proxy function 250 can detect whether thecommunication device 410 is the device that has been reassigned the IMSIor is the original device that was previously associated with the IMSIprior to the reassignment. In this example, the identity proxy function250 can communicate with other necessary components for obtaining datathat is utilized in the registration process such as bypassing the VLR245 and communicating via the interface 255 with the HLR 260 to obtainthe authentication triplets. In this example, since the identity proxyfunction 250 requested the authentication triplets, the HLR 260 willobtain them from the AUC 270 and provide them back to the identity proxyfunction rather than providing them to the VLR 245. In one embodiment,the simulation of the registration process and the forcing of an SRESgeneration by the communication device 410 can be utilized to identifythe particular device according to a secret key (in combination with theRAND provided by the identity proxy function 250) that the communicationdevice would utilize in generating the SRES. The secret keys can beknown or otherwise accessible to the identity proxy function 250 so thatthe secret key could be utilized to detect which device is generatingthe registration request. As an example, the secret key can be usedduring multiple cryptographic operations which can include theauthentication of the device (e.g., in all networks) and the network(e.g., in UMTS and LTE).

In one embodiment, rather than utilizing the interface 255, system 200can utilize first and second identity proxy functions 250 that arepositioned between the communication device 210 and the MSC 240 andpositioned between the VLR 245 and the HLR 260, respectively. The firstand second identity proxy functions 250 can communicate with each other,such as to bypass the VLR 245 when the identity proxy functions 250 aresimulating a registration process and forcing the communication device410 to generate an SRES. In one embodiment, once the identity proxyfunction 250 has determined the identity of the device (original devicevs. new device), the identity proxy function 250 can require that thecommunication device perform a re-registration.

Referring to FIG. 6 which illustrates a portion of system 200 and may ormay not include intermediate network components in the message exchangepaths, the identity proxy function 250 facilitates registration ofdevices where the particular IMSI has been designated for potentialreassignment or has already been reassigned by intercepting or otherwisereceiving registration requests, such as prior to the registrationrequest being provided to the MSC 240, the VLR 245 and the HLR 260. Forexample at 601, the original device 210 can request registration withthe network. The original device 210 may have been flagged as inactive,such as for non-use over a threshold period of time, suspension ofservices for non-payment, a customer requesting discontinuation ofservices, and so forth. A registration request including the IMSI can bereceived by the identity proxy function 250 which determines whether ornot the particular IMSI is part of the group of designated IMSIs andwhether a reassignment has already occurred. In one embodiment, theidentity proxy function 250 can identify the particular devicerequesting registration with the network. For example, deviceidentification information (e.g., an IMEI) can be obtained for theoriginal device 210, such as being received from device 210 (e.g., inthe registration request). As another example, if the IMSI has not beenreassigned but is part of the IMSIs designated for potentialreassignment then the identity proxy function 250 can determine that thedevice requesting registration is the original device 210 that has beenflagged as inactive. The identification of the device can be based onsimulating the registration process and forcing a generation of an SRESby the communication device 210, as described herein.

In one embodiment, the identity proxy function 250 and/or the identityprovisioning function 350 can determine whether the original device 210is eligible for services. If the original device 210 is not eligible forservices (e.g., suspension of services for non-payment or other reasons,device/UICC is no longer compatible with network or services, and soforth) then the identity proxy function 250 can cause or otherwisefacilitate or enable provisioning information to be provided (e.g., viathe identity provisioning function 350) to the original device 210 tocause the original device to disable its use of the IMSI. In thisexample, the IMSI can then be removed from the designated listing ofIMSIs and can instead be included with other IMSIs (e.g., that havenever been used before) that are eligible for assignment.

In one embodiment, if the IMSI has not yet been reassigned then theidentity proxy function 250 and/or the identity provisioning function350 can determine whether to allow the original device 210 to utilizethat original IMSI, such as confirming that the subscriber is eligiblefor services (e.g., based on payment for services or other actions thatremoved a suspension of services). If the original device 210 ispermitted to utilize its IMSI, then identity proxy function 250 canforward the registration request (based on the original IMSI) to the MSC240/VLR 245 and can provide a notification (e.g., to the identityprovisioning function 350) to remove the IMSI from the listing ofdesignated IMSIs and to further adjust the status of the original device210 from an inactive status to an active status.

In one embodiment, if the IMSI has already been reassigned to anotherdevice then the identity proxy function 250 and/or the identityprovisioning function 350 can confirm that the subscriber of theoriginal device 210 is eligible for services and can obtain reassignmentof another IMSI (from the designated list of IMSIs) for the originaldevice. For example at 602, responsive to a determination that the IMSIhas already been reassigned to another device and a determination thatthe subscriber of the original device 210 is eligible for services thenthe identity proxy function 250 can provide a request to the identityprovisioning function 350 for another IMSI from the listing ofdesignated IMSIs (which is not in the subset of IMSIs that has alreadybeen reassigned) or the identity proxy function 250 can receive theother IMSI from the identity provisioning function 350 based on adetermination made by the identity provisioning function 350. In oneembodiment, the original device 210 can continue to utilize its originalsecret key (which is mapped to the original device by the network). Inone embodiment, the determination of eligibility for services can bemade by the identity provisioning function 350 such that the identityproxy function 250 transmits the request to the identity provisioningfunction 350 for another IMSI responsive to a determination that theIMSI has already been reassigned to another device and the identityprovisioning function 350 can approve or deny the request.

Continuing with this example at 603, the identity provisioning function350 can notify various network elements (e.g., the HLR 260) that thecommunication device 210 is now associated with the particularreassigned IMSI. This can include the HLR 260 deleting an original IMSIassignment for the communication device 210 and/or adding the new IMSIassignment for the communication device 210 in its database. In oneembodiment, this notification can cause the HLR to perform a databaseupdate such as re-mapping to particular HLR records, adjusting mappingwith respect to MSISDNs, adjusting an identification of availablecommunication services that the subscriber has requested or isauthorized to utilize, adjusting GPRS settings to allow the subscriberto access packet services, and so forth.

At 604, the identity provisioning function 350 can provide provisioninginformation to the communication device 210 via an OTA platform thatcauses the UICC to be adjusted so that the reassigned IMSI is nowutilized by the device for communication services. In one embodiment, tosend an OTA provisioning message to a device that has not completedregistration to a target network, a simulating network can be used tointercept (e.g., prior to being received by a VLR in GSM or an MME inLTE) and complete the registration. The simulating network can send anOTA message to the device that can cause the modification of the deviceIMSI and can cause the device to perform a re-registration to the targetnetwork. For example, the simulating network can comprise a set offunctional elements (e.g., registration simulation platform 675) thatexist in the target network. This can include an MSC/VLR, a MME, a HLRor HSS, an AUC, a SMSC, an OTA platform, a SGW, a PGW, an EIR and/or anycombination thereof. The AUC of registration simulation platform 675 cancontain the secret key of the device and the HSS/HLR can be provisionedto allow the device to register. Other pre-provisioning functions can beperformed. For instance, the registration simulation platform 675 can beintegrated into the identity proxy function 250 (illustrated in FIG. 6),the identity provisioning function 350 and/or can exist as a standalonedevice. In one embodiment, the identity provisioning function 350 canbecome aware of the registration to the registration simulation platform675 by notification from the registration simulation platform 675 and/orfrom the identity proxy function 250. In this example, the identityprovisioning function 350 can instruct the registration simulationplatform 675 to perform an OTA to modify an IMSI of that particulardevice. The identity provisioning function 350 may provide an update tothe identity proxy function 250 regarding the content of the requestedOTA. In one embodiment, the identity proxy function 350 can first detectan error message, then perform an action such as not forwarding theerror to the device to cause the device to reattempt the registration,and finally intercept the reattempt and forward to the registrationsimulation platform 675.

In another embodiment, the identity provisioning function 350 canprovide provisioning information to the communication device 210 via theOTA 280 and the SMSC 290 that causes the UICC to be adjusted so that thereassigned IMSI is now utilized by the device for communicationservices. In another embodiment at 605, the communication device 210 canthen attempt to re-register utilizing the reassigned IMSI. The identityproxy function 250 can receive the registration request for thecommunication device 210, which now includes the reassigned IMSI and at606-608 the registration process (via the VLR 245 and the HLR 260) canbe completed based on the reassigned IMSI. In one or more embodiments,the identity provisioning function 350 can provision a National SIMManager (NSM) with the reassigned IMSI for the original device where thesecret key of the original device is already known. In anotherembodiment, the identity provisioning function 350 can be integratedwith equipment of the NSM. In one embodiment, a billing system candetect the change in IMSI for the UICC and can provision some or allother network elements necessary for enabling call processing (e.g., HLR260, AUC 270).

FIG. 7 depicts an illustrative embodiment of a method 700 used by system200 for facilitating the re-use of IMSIs. One or more of the steps ofmethod 700 can be performed by the identity proxy function 250, theidentity provisioning function 350 and/or by other devices described inFIGS. 2-6. At 702, an IMSI can be received that is associated with acommunication device. For instance, the IMSI can be part of aregistration request that is generated by or caused to be generated bythe communication device. At 704, a determination of the status of theIMSI can be made. For example, the identity proxy function 250 candetermine whether the IMSI is included in a designated group of IMSIsand if so can further determine whether the IMSI is included in a subsetof the group which is further designated as having already beenreassigned to another communication device. If the IMSI is not part ofthe designated group of IMSIs then the registration process can becontinued by forwarding the registration request and/or IMSI to the MSC240/VLR 245 to perform the registration at 706. If on the other hand theIMSI is part of the designated group of IMSIs then a determination canbe made at 708 as to whether the registration request is for an originaldevice that was associated with the IMSI (e.g., prior to beingreassigned) or whether the registration request is for a new device thathas been reassigned the IMSI. The identification of the particulardevice can be performed in a number of different ways, such as based ondevice identification information (e.g., IMEI), simulating aregistration process to force an SRES generation by the device fromwhich the device identification can be determined, and so forth.

If the registration request and the IMSI are from a new device that hasbeen reassigned the IMSI then the registration process can be continuedby forwarding the registration request and/or IMSI to the MSC 240/VLR245 to perform the registration at 706. If on the other hand theregistration request and the IMSI are from an original device (e.g., adevice that the IMSI was previously associated with prior to being addedto the listing of designated IMSIs) then a determination can be made at710 as to whether the subscriber of the original device is eligible forcommunication services. Eligibility for services can be based on variousfactors and can be determined by various components or a combination ofcomponents, such as based on billing, device hardware requirements,device software requirements, and so forth. If the subscriber of theoriginal device is not eligible for communication services then at 712provisioning information can be provided to the original device (e.g.,via OTA provisioning by the identity provisioning function 350 such asthrough use of registration simulation platform 675) that causesdisabling the use of the particular IMSI by the original device. In oneembodiment, if the IMSI has not already been reassigned then it can beremoved from the listing of designated IMSIs and provided to anothercommunication device (e.g., the identity proxy function 250 can forwardthe IMSI automatically to the MSC 240/VLR 245 for completion ofregistration associated with a new device that utilizes the IMSI).

If on the other hand the subscriber of the original device is eligiblefor communication services then at 714 the original device can beauthorized to utilize the particular IMSI (e.g., if it is determinedthat the particular IMSI has not yet been reassigned) or the originaldevice can be provisioned with another IMSI (e.g., if it is determinedthat the original IMSI has already been reassigned to another device).In one embodiment, the new IMSI reassigned to the original device can beselected from the listing of designated IMSI (which is not included inthe subset of IMSIs that has already been reassigned). Method 700 canthen proceed to 706 where the registration process is completed.

While for purposes of simplicity of explanation, the respectiveprocesses are shown and described as a series of blocks in FIG. 7, it isto be understood and appreciated that the claimed subject matter is notlimited by the order of the blocks, as some blocks may occur indifferent orders and/or concurrently with other blocks from what isdepicted and described herein. Moreover, not all illustrated blocks maybe required to implement the methods described herein.

In one or more embodiments, eligibility for services can be determinedaccording to a viability of the UICC. For example, if it is determinedthat the UICC is no longer compatible with the network (e.g., it cannotperform certain functions requested by the network or cannot facilitatecertain communication services) then the device/UICC can be designatedas being ineligible for service and provisioning information can be sentto the device (e.g., via registration simulation platform 675) tonullify or otherwise disable use of the IMSI by that device/UICC. In oneembodiment, if it is determined that the UICC is not viable or otherwiseis incompatible with the network then the subscriber of the originaldevice can be provided with a request to upgrade the UICC (which may ormay not utilize the same IMSI), such as forwarding a message includingan offer to the original device. In this example, the IMSI can beremoved from the listing of designated IMSIs. One or more of thedeterminations described with respect to any of the exemplaryembodiments can be made by the identity proxy function 250, the identityprovisioning function 350, or another network device.

FIG. 8 depicts an illustrative embodiment of a communication system 800(e.g., a Long Term Evolution (LTE) system) that provides communicationservices such as to a communication device 810. The communication device810 can be various types of devices such as a mobile phone or otherdevices that utilize an IMSI for establishing communication services.The types of communication services can vary including voice services,video, data and/or messaging. System 800 enables IMSI re-use by the sameor other communication devices through use of an identity proxy function850 and an identity provisioning function 899. System 800 can performmany of the same functions as described with respect to system 200including intercepting a registration request with an IMSI, determiningan identity of a device requesting registration, processing registrationrequests according to whether the IMSI is a designated IMSI and whetherthe IMSI has already been reassigned to another device, reassigning anIMSI to an original device that has come back online, reauthorizing useof an original IMSI for an original device that has returned to beingservice eligible, and so forth.

System 800 can utilize the identity proxy function 850 to performfunctions similar to those described with respect to the identity proxyfunction 250 of system 200 for facilitating the re-use of IMSIs. System800 can include various components that facilitate providing thecommunication services, including an eNodeB (eNB) 825 that functions ashardware that communicates directly wirelessly with mobile handsetssimilar to the BSS of the GSM network of system 200, a MobilityManagement Entity (MME) 840 that functions as a control-node for the LTEaccess-network, and a Home Subscriber Server (HSS) 860 that functions asa central database to contain user-related and subscription-relatedinformation and which provides user authentication and accessauthorization functionality. The HSS 860 is similar to the HLR 260 andAUC 270 of the GSM network of system 200. Other components can also beincluded in the system 800 such as an EIR, S-GW, PDN GW, ePDG, SGSN andso forth.

In one or more embodiments, the identity proxy function 850 can bepositioned between the eNB 825 and the MME 840 so that the IMSI isreceived by the identity proxy function 850 prior to being processed bythe MME 840. In one embodiment, an interface 855 can be establishedbetween the identity proxy function 850 and other network components,such as the HSS 860. For example, the interface 855 can enable theidentity proxy function 850 to communicate directly with the HSS 860 soas to bypass communication with the MME 840. For instance and asdescribed herein, the identity proxy function 850 can simulatefunction(s) of the MME 840 such as RES comparison and the interface 855can enable obtaining data needed for the RES comparison.

System 800 can utilize an identity provisioning function 899 forprovisioning information to the communication device 810, such as areassigned IMSI, nullification information that disables the use of anold IMSI at an original device, an offer to obtain a reassigned IMSI,and so forth. In one embodiment, identity provisioning function 899 canalso propagate other information to other network elements, such asnotifications that an IMSI from the listing of designated IMSIs has beenreassigned or has been removed from the IMSI, an inactive or activestatus change for a device, and so forth to various network elementssuch as the HSS 860, the EIR, and so forth. The provisioning orpropagation of information to the communication device 810 can beperformed in a number of different ways, including utilizing aregistration simulation platform (e.g., performing function similar tothat of registration simulation platform 675 in FIG. 6), an OTA gateway880 and/or a messaging gateway 890. The functions performed by theidentity proxy function 850 and the identity provisioning function 899in managing IMSI reuse can vary. In one embodiment, the identity proxyfunction 850 can be utilized as a point of IMSI screening and furtherdeterminations as to what steps should be taken to manage the particularIMSI can be made by the identity provisioning function 899 based on adetection or screening message received by the identity provisioningfunction 899 from the identity proxy function 850. In other embodiments,the identity proxy function 850 can take a more active role indeterminations of the appropriate steps to be taken to manage theparticular IMSI.

In one embodiment, the HSS 860 can be provisioned with reassigned IMSIsto facilitate the registration of a new device that has received areassigned IMSI from an original device. In one embodiment, the identityproxy function 850 can simulate a registration process to force thecommunication device 810 to generate a RES (similar to the processdescribed with respect to FIG. 5) so that the identity proxy function850 can determine whether the device requesting registration is anoriginal device or a new device.

In one embodiment, the identity proxy function 850 can obtain an IMSI ofthe communication device 810 attempting to register and can determinethe identity of that device. Based upon the IMSI and the identity of thecommunication device 810, a determination can be made (e.g., by theidentity proxy function 850 and/or the identity provisioning function899) whether to allow the registration to proceed (to the MME 840),reassign an IMSI to the communication device, provide provisioninginformation that disables use of the IMSI by the communication deviceand/or take other appropriate actions to facilitate managing use andreuse of IMSI.

For example, the communication device 810 can initiate an attachprocedure by transmitting an attach request to the eNB 825 so that theeNB can derive the appropriate MME from the Radio Resource Control (RRC)parameters carrying the old Globally Unique Mobility Management EntityIdentifier (GUMMEI) and the indicated Selected Network. The attachrequest (i.e., registration request) can be received by the identityproxy function 850 (e.g., from the eNB 825). In one embodiment, theattach request can include a Globally Unique Temporary UE Identity(GUTI) which has the GUMMEI and also has the M-TMSI, which identifiesthe particular device. This identification allows the identity proxyfunction 850 to ascertain whether the particular device is a new devicethat has been reassigned the IMSI from the listing of designated IMSIsor is the original device that was previously associated with the IMSIprior to the reassignment. In this example, the identity proxy function850 can obtain the IMSI in a number of different ways. For example, ifthe communication device 810 identifies itself with a GUTI, then theGUTI can be used to derive the old MME/SGSN address, and anIdentification Request can be sent to the old MME/SGSN to request theIMSI. In another embodiment, the identity proxy function 850 can send anIdentity Request to the communication device 810 to request the IMSI.

In one embodiment such as where the identity proxy function 850 isunable to obtain device identity information (e.g., the GUTI) for thecommunication device 810, the identity proxy function 850 can simulatethe registration process of the MME 840 to obtain information thatenables discerning whether the communication device 810 is a new devicethat has been reassigned the IMSI or is the original device that waspreviously associated with the IMSI prior to the reassignment. As anexample, the identity proxy function 850 can simulate the registrationprocess of the MME 840 so as to obtain a RES generated by thecommunication device 810 according to an EPS AKA algorithm. From thatgenerated RES, the identity proxy function 850 can detect whether thecommunication device 810 is the new device that has been reassigned theIMSI or is the original device that was previously associated with theIMSI prior to the reassignment. In this example, the identity proxyfunction 850 can communicate with other necessary components forobtaining data that is utilized in the registration process (e.g. amutual authentication process) such as bypassing the MME 840 andcommunicating via the interface 855 with the HSS 860 to obtainauthentication vectors (e.g., RAND, AUTN, XRES, K_(ASME)). The HSS 860generates authentication vector(s) using the EPS AKA algorithm andforwards them back to the identity proxy function 850. The identityproxy function 850 can select one of the authentication vectors (if morethan one was received) and can use it to perform mutual authenticationwith the communication device 810 by forwarding the RAND and AUTN_(HSS)to the communication device, which then computes RES, AUTN_(UE) andK_(ASME) using the EPS AKA algorithm. The communication device 810 canthen compare its own AUTN_(UE) and AUTN_(HSS) received from the identityproxy function 850. Once authenticated, the communication device 810 canforward the RES to the identity proxy function 850, which can thendetermine from a comparison of the XRES received from the HSS 860 withthe RES generated by the communication device whether the particulardevice is the original device or the new device since different RESswill be generated based on different secret keys (LTE K) stored atdifferent UICCs. In this example, since the identity proxy function 850requested the authentication vectors, the HSS 860 will provide them backto the identity proxy function via interface 855 rather than providingthem to the MME 840.

In one embodiment, rather than utilizing the interface 855, system 800can utilize first and second identity proxy functions 850 that arepositioned between the communication device 810 and the MME 840 andpositioned between the MME 840 and the HSS 260 (shown in dashed lines inFIG. 8), respectively. The first and second identity proxy functions 850can communicate with each other, such as to bypass the MME 840 when theidentity proxy functions 850 are simulating a registration process ofthe MME 840 and forcing the communication device 810 to generate a RES.In one embodiment, once the identity proxy function 850 has determinedthe identity of the device (original device vs. new device), theidentity proxy function 850 can require that the communication device810 perform a re-registration.

In one or more embodiments, system 800 enables receiving, by theidentity proxy function 850, a registration request associated with thecommunication device 810 where the registration request includes an IMSIof the communication device. System 800 enables accessing, by theidentity proxy function 850, information that identifies a group ofIMSIs and that indicates a subset of the group of IMSIs that have beenreassigned to other communication devices. Responsive to a firstdetermination that the IMSI is not included in the group of IMSIs or asecond determination that the IMSI is included in the subset of thegroup of IMSIs, system 800 enables providing, by the identity proxyfunction 850, the registration request to a registration function (e.g.,the MME 840 and/or the HSS 860) for completing a registration processfor the communication device which allows for communication services atthe communication device. In one embodiment, system 800 enablesreceiving, by the identity proxy function 850, device identificationdata for the communication device 810. A third determination can then beperformed as to whether the communication device 810 is one of the othercommunication devices that has received a reassignment of one of thesubset of the group of international mobile subscriber identities, wherethe third determination is based on the device identification data, andwhere the providing the registration request to the registrationfunction for completing the registration process is according to thethird determination. In one embodiment, the device identification datacomprises an IMEI. In one embodiment, the IMEI is obtained from thecommunication device 810. In one embodiment responsive to a thirddetermination that the IMSI is included in the subset of the group ofIMSIs and that the communication device 810 is not one of the othercommunication devices that has received a reassignment of one of thesubset of the group of IMSIs, system 800 enables providing, via theidentity provisioning function 899, the communication device withprovisioning information. The provisioning information causes one ofdisabling use of the IMSI by the communication device, reassignment ofanother IMSI from the group of IMSIs that is not included in the subsetof the group of IMSIs, or a combination thereof. In one embodiment, thesystem 800 enables receiving, by the identity proxy function 850, anIMEI from the communication device 810, wherein the third determinationis based on the IMEI. In one embodiment responsive to a thirddetermination that the communication device 810 is eligible for service,that the IMSI is included in the group of IMSIs, and that the IMSI isnot included in the subset of the group of IMSIs, the system 800 enablesremoval of the IMSI from the group of IMSIs and further enablesproviding, by the identity proxy function 850, the registration requestto the registration function for completing the registration process forthe communication device. In one embodiment, system 800 enablesdetermining a functionality of a universal integrated circuit card ofthe communication device 810 that stores the IMSI, where the removal ofthe IMSI from the group of IMSIs and the providing the registrationrequest to the registration function are based on a fourth determinationthat the functionality of the universal integrated circuit card iscompatible with the communication services associated with thecommunication device. In one embodiment, the identity proxy function 850is a stand-alone server located between the eNB 825 and the MME 840, andthe registration function is performed by the MME 840 utilizing servicesof the HSS 860. In one embodiment, the provisioning information can beprovided to the communication device by the identity provisioningfunction via an OTA interface, where the OTA instructions go through theidentity proxy function 850.

In one embodiment, the system 800 enables receiving, by the identityproxy function 850, a signed response message generated by thecommunication device 810 based on a random challenge; and performing, bythe identity proxy function, a third determination that thecommunication device is one of the other communication devices that hasreceived a reassignment of one of the subset of the group of IMSIs,where the third determination is based on the signed response message,and where the providing the registration request to the registrationfunction for completing the registration process is according to thethird determination. In one embodiment, the system 800 enablesproviding, by the identity proxy function 850, the random challenge tothe communication device 810.

FIG. 9 depicts an illustrative embodiment of a communication device 900.Communication device 900 can serve in whole or in part as anillustrative embodiment of the devices depicted in FIGS. 2-6 and 8 andcan be configured to perform portions of method 700 of FIG. 7. Wherecommunication device 900 is an end user device, it can include a UICC975 that stores or otherwise manages use of an IMSI for registering thecommunication device. In one embodiment, the communication device 900can be an end user device that performs operations including: providinga registration request that is received by an identity proxy functionoperating in a server, where the registration request includes a firstIMSI of the communication device; responsive to a determination that thefirst IMSI has been reassigned to another communication device and thatthe communication device 900 is not the other communication device,receiving provisioning information that includes a second IMSI; andfacilitating a registration process that utilizes the second IMSI andthat enables communication services at the communication device. In oneembodiment, the provisioning information includes disabling informationthat disables use of the first IMSI by the communication device 900,where the registration process utilizes a secret key that was previouslyassociated with the first IMSI prior to the first IMSI being reassignedto the other communication device, and where the receiving of theprovisioning information is responsive to determining that thecommunication device is eligible for the communication services.

In another embodiment, the communication device 900 can be a networkdevice (e.g., a network server executing the identity proxy function250, 850 and/or the identity provisioning function 350, 899) thatperforms operations including: receiving an IMSI of a communicationdevice; accessing information that identifies a group of IMSIs and thatindicates a subset of the group of IMSIs that have been reassigned toother communication devices; and, responsive to a first determinationthat the IMSI is included in the subset of the group of IMSIs and thatthe communication device is not one of the other communication devicesthat has received a reassignment of one of the subset of the group ofIMSIs, providing the communication device with provisioning informationthat disables use of the IMSI by the communication device. In oneembodiment, the communication device 900 can, responsive to determiningthat use of the IMSI by the communication device has been nullified,provide a notification to or otherwise perform a removal of the IMSIfrom the group of IMSIs. In one embodiment, the communication device 900can, receive an IMEI from the communication device, where the firstdetermination is based on the IMEI. In one embodiment, the communicationdevice 900 can, perform a second determination that the communicationdevice is not service eligible, where the providing the communicationdevice with the provisioning information is responsive to the seconddetermination. In one embodiment, the communication device 900 can,responsive to a second determination that the IMSI is included in thesubset of the group of IMSIs and that the communication device is one ofthe other communication devices that has received a reassignment of oneof the subset of the group of IMSIs, providing a registration request toa registration function for completing a registration process for thecommunication device that enables communication services at thecommunication device. In one embodiment, the provisioning informationenables reassignment of another IMSI from the group of IMSIs that is notincluded in the subset of the group of IMSIs, and where thecommunication device 900 can provide a registration request to aregistration function for completing a registration process for thecommunication device utilizing the other IMSI. In one embodiment, theregistration process for the communication device utilizing the otherIMSI is further based on a secret key that was previously associatedwith the IMSI prior to the reassignment of the other IMSI to thecommunication device.

Communication device 900 can include more or less than the componentsdescribed herein. For example, communication device 900 can comprise awireline and/or wireless transceiver 902 (herein transceiver 902), auser interface (UI) 904, a power supply 914, a location receiver 916, amotion sensor 918, an orientation sensor 920, and a controller 906 formanaging operations thereof. The transceiver 902 can support short-rangeor long-range wireless access technologies such as Bluetooth®, ZigBee®,WiFi, DECT, or cellular communication technologies, just to mention afew (Bluetooth® and ZigBee® are trademarks registered by the Bluetooth®Special Interest Group and the ZigBee Alliance, respectively). Cellulartechnologies can include, for example, CDMA-1X, UMTS/HSDPA, GSM/GPRS,TDMA/EDGE, EV/DO, WiMAX, SDR, LTE, as well as other next generationwireless communication technologies as they arise. The transceiver 902can also be adapted to support circuit-switched wireline accesstechnologies (such as PSTN), packet-switched wireline accesstechnologies (such as TCP/IP, VoIP, etc.), and combinations thereof.

The UI 904 can include a depressible or touch-sensitive keypad 908 witha navigation mechanism such as a roller ball, a joystick, a mouse, or anavigation disk for manipulating operations of the communication device900. The keypad 908 can be an integral part of a housing assembly of thecommunication device 900 or an independent device operably coupledthereto by a tethered wireline interface (such as a USB cable) or awireless interface supporting for example Bluetooth®. The keypad 908 canrepresent a numeric keypad commonly used by phones, and/or a QWERTYkeypad with alphanumeric keys. The UI 904 can further include a display910 such as monochrome or color LCD (Liquid Crystal Display), OLED(Organic Light Emitting Diode) or other suitable display technology forconveying images to an end user of the communication device 900. In anembodiment where the display 910 is touch-sensitive, a portion or all ofthe keypad 908 can be presented by way of the display 910 withnavigation features.

The display 910 can use touch screen technology to also serve as a userinterface for detecting user input. As a touch screen display, thecommunication device 900 can be adapted to present a user interface withgraphical user interface (GUI) elements that can be selected by a userwith a touch of a finger. The touch screen display 910 can be equippedwith capacitive, resistive or other forms of sensing technology todetect how much surface area of a user's finger has been placed on aportion of the touch screen display. This sensing information can beused to control the manipulation of the GUI elements or other functionsof the user interface. The display 910 can be an integral part of thehousing assembly of the communication device 900 or an independentdevice communicatively coupled thereto by a tethered wireline interface(such as a cable) or a wireless interface.

The UI 904 can also include an audio system 912 that utilizes audiotechnology for conveying low volume audio (such as audio heard inproximity of a human ear) and high volume audio (such as speakerphonefor hands free operation). The audio system 912 can further include amicrophone for receiving audible signals of an end user. The audiosystem 912 can also be used for voice recognition applications. The UI904 can further include an image sensor 913 such as a charged coupleddevice (CCD) camera for capturing still or moving images.

The power supply 914 can utilize common power management technologiessuch as replaceable and rechargeable batteries, supply regulationtechnologies, and/or charging system technologies for supplying energyto the components of the communication device 900 to facilitatelong-range or short-range portable applications. Alternatively, or incombination, the charging system can utilize external power sources suchas DC power supplied over a physical interface such as a USB port orother suitable tethering technologies.

The location receiver 916 can utilize location technology such as aglobal positioning system (GPS) receiver capable of assisted GPS foridentifying a location of the communication device 900 based on signalsgenerated by a constellation of GPS satellites, which can be used forfacilitating location services such as navigation. The motion sensor 918can utilize motion sensing technology such as an accelerometer, agyroscope, or other suitable motion sensing technology to detect motionof the communication device 900 in three-dimensional space. Theorientation sensor 920 can utilize orientation sensing technology suchas a magnetometer to detect the orientation of the communication device900 (north, south, west, and east, as well as combined orientations indegrees, minutes, or other suitable orientation metrics).

The communication device 900 can use the transceiver 902 to alsodetermine a proximity to a cellular, WiFi, Bluetooth®, or other wirelessaccess points by sensing techniques such as utilizing a received signalstrength indicator (RSSI) and/or signal time of arrival (TOA) or time offlight (TOF) measurements. The controller 906 can utilize computingtechnologies such as a microprocessor, a digital signal processor (DSP),programmable gate arrays, application specific integrated circuits,and/or a video processor with associated storage memory such as Flash,ROM, RAM, SRAM, DRAM or other storage technologies for executingcomputer instructions, controlling, and processing data supplied by theaforementioned components of the communication device 900.

Other components not shown in FIG. 9 can be used in one or moreembodiments of the subject disclosure. For instance, the communicationdevice 900 can include a reset button (not shown). The reset button canbe used to reset the controller 906 of the communication device 900. Inyet another embodiment, the communication device 900 can also include afactory default setting button positioned, for example, below a smallhole in a housing assembly of the communication device 900 to force thecommunication device 900 to re-establish factory settings. In thisembodiment, a user can use a protruding object such as a pen or paperclip tip to reach into the hole and depress the default setting button.The communication device 900 can also include a slot for adding orremoving the UICC 975 (where it is not an embedded UICC). The UICC 975can be various types of UICCs and can be a Subscriber Identity Module(SIM) card. The UICC 975 can be used for identifying subscriberservices, executing programs, storing subscriber data, and so forth.

The communication device 900 as described herein can operate with moreor less of the circuit components shown in FIG. 9. These variantembodiments can be used in one or more embodiments of the subjectdisclosure.

The communication device 900 can be adapted to perform the functions ofthe devices of FIGS. 2-6 and 8 including communication devices 210, 410,810, as well as the identity proxy functions 250, 850, the identityprovisioning functions 350, 899 and other network components describedherein. It will be appreciated that the communication device 900 canalso represent other devices that can operate in systems 200 and 800. Inaddition, the controller 906 can be adapted in various embodiments toperform the functions 462 which enables management of the re-use ofIMSIs.

Upon reviewing the aforementioned embodiments, it would be evident to anartisan with ordinary skill in the art that said embodiments can bemodified, reduced, or enhanced without departing from the scope of theclaims described below. For example, other factors can be utilized todetermine whether an original device should receive an IMSI from thedesignated group of IMSIs (which has not yet been reassigned) or whetherthe original device should continue to utilize the original IMSI. Forinstance, even though the original IMSI may not yet have beenreassigned, the service provider may desire to reassign another IMSI(from the designated IMSI to be reassigned) such as to facilitatecategorizing devices and/or subscribers based on particular groupings ofIMSIs.

The exemplary embodiments have been described with respect to GSM andLTE networks 200, 800, respectively. However, the exemplary embodimentscan be utilized for managing use of IMSIs in various types of networks.For example in a Universal Mobile Telecommunications System (UMTS)network, IMSI management can be performed as described in the exemplaryembodiments by intercepting a registration request utilizing an identityproxy function (e.g., positioned between the BSS and the Serving GPRSSupport Node (SGSN)). In another example in a General Packet RadioService (GPRS) network, IMSI management can be performed as described inthe exemplary embodiments by intercepting a registration requestutilizing an identity proxy function.

In one or more embodiments, other steps or procedures can be implementedwhen an original device that has been flagged as inactive attempts toregister with the network. For example, when an original device whoseoriginal IMSI has been re-assigned to another device is detected duringa registration request, the network can limit interaction of theoriginal device with the network. For instance, the UICC of the originaldevice can be forced to use a default or bootstrap IMSI which haslimited functionality such as being limited to bootstrap functions(e.g., functions that enable communicating with the network foradministrative reasons including obtaining a reassigned IMSI), a pay forservice mode, and so forth. For instance, a pay for service mode can beimplemented by the default IMSI by allowing registration that enablesaccess to a webpage for selecting and paying for particularcommunication services, such as messaging, voice calls, and so forth. Inone embodiment, the default IMSI can be stored by the UICC in additionto the original IMSI. In one embodiment, the provisioning informationprovided to the UICC can cause the UICC to utilize the default IMSIinstead of the original IMSI. In another embodiment, the identityprovisioning function 350, 899 can provision the default IMSI to theoriginal device rather than provisioning an IMSI from the designatedgroup of IMSIs. The default or bootstrap IMSI can differ from anoriginal IMSI in that the original IMSI can be utilized by a device(e.g., a new device reassigned the original IMSI or the original devicethat is re-authorized to utilize the IMSI) for accessing a full range ofavailable services whereas the default or bootstrap IMSI does notprovide access to the full range of available services, although thedefault or bootstrap IMSI could provide access to a webpage for pay forservice mode. In one embodiment, a same default or bootstrap IMSI can beutilized by numerous devices that have been flagged as inactive.

In one or more embodiments, the intercepting of the IMSI and determiningwhether to allow registration to continue by the identity proxy function250, 850 prevents a failure or other error message from being generatedand/or from being provided to the communication device which could haveadverse effects on the communication device such as disabling OTAinterface of the communication device.

In one or more embodiments, the identity proxy function 250, 850 cancache or otherwise store last successful registration processes forparticular devices to utilize that information for determining whether adevice requesting registration is an original device or a new devicewith a reassigned IMSI. In one embodiment, the device identificationinformation (e.g., an IMEI) can be sourced by one or more other networkelements. Other embodiments can be used in the subject disclosure.

It should be understood that devices described in the exemplaryembodiments can be in communication with each other via various wirelessand/or wired methodologies. The methodologies can be links that aredescribed as coupled, connected and so forth, which can includeunidirectional and/or bidirectional communication over wireless pathsand/or wired paths that utilize one or more of various protocols ormethodologies, where the coupling and/or connection can be direct (e.g.,no intervening processing device) and/or indirect (e.g., an intermediaryprocessing device such as a router).

FIG. 10 illustrates a portion of a system 1000 that providescommunication services to end user devices or other devices, such ascommunication device 1010. System 1000 can be part of or combined withall or a portion of system 200 of FIG. 2, system 800 of FIG. 8 oranother network such as a GPRS or UMTS network. The communication device1010 can be various types of devices such as a mobile phone or otherdevices that utilize an IMSI for establishing communication services.The types of communication services can vary including voice services,video, data and/or messaging. System 1000 enables IMSI re-use by thesame or other communication devices through use of an identity proxyfunction 1050 (which can perform some or all of the functions describedwith respect to identity proxy functions 250, 850) and an identityprovisioning function 1099 (which can perform some or all of thefunctions described with respect to identity proxy functions 350, 899).System 1000 provides for registration of communication devices throughuse of a registration function 1060, such as an MSC/VLR and/or HLR in aGSM network or an MME and/or HSS in an LTE network.

System 1000 may or may not include intermediate network components inthe message exchange paths. In one embodiment, the communication device1010 can be reassigned an IMSI from a listing of designated IMSIs wherethe IMSI was previously associated with a different communication device(e.g., which has been flagged as an inactive device). In this example at1001, the identity provisioning function 1099 can receive a request, beinstructed or otherwise determine that an IMSI (in a list of designatedIMSIs) is to be reassigned to the communication device 1010. Thecommunication device 1010 can be a new device that needs an IMSI toprovide communication services or can be an existing device thatrequires another IMSI due to some other reason, such as having its ownIMSI reassigned to a different device.

At 1002, the identity provisioning function 1099 can notify theregistration function 1060 (e.g., the HLR 260 in system 200 of FIG. 2 orthe HSS 860 in system 800 of FIG. 8) that the communication device 1010is now associated with the particular reassigned IMSI. This can includedeleting an original IMSI assignment for the communication device 1010and/or adding the new IMSI assignment for the communication device 1010in a database, such as of the HLR 260 or the HSS 860. In one embodiment,this notification can cause the HLR 260 or HSS 860 to perform a databaseupdate such as re-mapping to particular HLR records, adjusting mappingwith respect to MSISDNs, adjusting an identification of availablecommunication services that the subscriber has requested or isauthorized to utilize, adjusting GPRS settings to allow the subscriberto access packet services, and so forth. By notifying the registrationfunction 1060 that the communication device 1010 is now associated withthe particular reassigned IMSI, the communication device 1010 can nowsuccessfully register with the network.

At 1003, the identity provisioning function 1099 can notify the identityproxy function 1050 that the communication device 1010 is now associatedwith the particular reassigned IMSI or can notify the identity proxyfunction that an IMSI in the listing of designated IMSIs has been movedto the subset of designated IMSIs due to reassignment to another device(with or without indicating the particular new device that has beenreassigned the IMSI). In one embodiment, the identity proxy function1050 can already be aware that the IMSI is part of the group of IMSIsdesignated for potential reassignment and can already be aware that anoriginal communication device associated with the particular IMSI hasbeen flagged as inactive. In this example, the identity proxy function1050 can switch a designation of the particular IMSI to being flagged aswithin the subset of the designated IMSIs that have already beenreassigned to another device (i.e., the communication device 1010 inthis example).

System 1000 also illustrates a successful registration of communicationdevice 1010 utilizing the reassigned IMSI from steps 1001-1003. Forexample at 1011, the communication device 1010 (which has beenreassigned the IMSI) can request registration with the network. Aregistration request including the reassigned IMSI can be received bythe registration function 1060 (e.g., an MSC/VLR in a GSM network or anMME in an LTE network). In one embodiment, the registration request canalso be received by the identity proxy function 1050. For instance, theregistration request can be intercepted or otherwise received by theidentity proxy function 1050 and then forwarded to the registrationfunction 1060. A registration process can be performed according to thereassigned IMSI and a secret key that is associated with thecommunication device 1010. The registration function 1060 can be awareof the secret key associated with the communication device 1010 and canbe aware of the reassigned IMSI that is now associated with thecommunication device. The registration process can be similar to theprocesses described herein with respect to GSM or LTE networks, such asa comparison of SRES in GSM or a comparison of RES in LTE or acomparison of XRES in UMTS environment. At 1012, a successfulregistration can be communicated to the communication device 1010. Theparticular messaging that makes up the registration request and theregistration process can vary.

FIG. 11 illustrates a portion of a system 1100 that providescommunication services to end user devices, such as communication device1110. System 1100 can be part of or combined with all or a portion ofsystem 200 of FIG. 2, system 800 of FIG. 8, system 1000 of FIG. 10 oranother network such as a GPRS or UMTS network. The communication device1110 can be various types of devices such as a mobile phone or otherdevices that utilize an IMSI for establishing communication services.The types of communication services can vary including voice services,video, data and/or messaging. System 1100 enables IMSI re-use by thesame or other communication devices through use of an identity proxyfunction 1050 (which can perform some or all of the functions describedwith respect to identity proxy functions 250, 850) and an identityprovisioning function 1099 (which can perform some or all of thefunctions described with respect to identity proxy functions 350, 899).System 1100 provides for registration of communication devices throughuse of a registration function 1060, such as an MSC/VLR and/or HLR in aGSM network or an MME and/or HSS in an LTE network.

System 1100 may or may not include intermediate network components inthe message exchange paths. System 1100 illustrates an attemptedregistration by the communication device 1110 utilizing an IMSI that isincluded in the listing of designated IMSIs (e.g., where thecommunication device 1110 is an original device that has been flagged asinactive). For example at 1101, the communication device 1110 canrequest registration with the network. A registration request (e.g.,including an original IMSI that is among the listing of designated IMSIsfor reassignment or has already been reassigned to another device or anIMSI that is not on the designated list) can be received by theregistration function 1060 (e.g., an MSC/VLR in a GSM network or an MMEin an LTE network). In one embodiment, the registration request can alsobe received by the identity proxy function 1050. For instance, theregistration request can be intercepted or otherwise received by theidentity proxy function 1050 and then forwarded to the registrationfunction 1060. A registration process can be performed according to theoriginal IMSI and a secret key that is associated with the communicationdevice 1110. The registration function 1060 can be aware of the secretkey associated with the communication device 1110. The registrationprocess can be similar to the processes described herein with respect toGSM or LTE networks, such as a comparison of SRES in GSM or a comparisonof RES in LTE.

At 1102, a registration error can be generated by the registrationfunction 1060 (e.g., an authentication failure message generated by theMSC/VLR and/or HLR in GSM or by the MME and/or HSS in LTE) and can bereceived by the identity proxy function 1050 from the registrationfunction 1060. In this example, the identity proxy function 1050 canintercept the authentication error message prior to or otherwise toavoid it being received by the communication device 1110. The particularmessaging that makes up the registration request, the registrationprocess and/or the registration error can vary. In one embodiment, theidentity proxy function 1050 can determine that the registration erroris a valid failure for a device that should not be attempting to use theIMSI (such as a third device that is not the original device and is nota new device that has been reassigned the IMSI). For instance, anauthentication failure can be received for a device that is not theoriginal device and is not a new device that has been reassigned theIMSI. In this example, the identity proxy function 1050 can allow theerror process (e.g., an authentication failure messaging) to proceed. Inanother embodiment at 1103, a request for reassignment of another IMSIfrom the listing of the designated IMSIs or authorization to utilize theoriginal IMSI can be provided to the identity provisioning function 1099from the identity proxy function 1050. For instance, the identity proxyfunction 1050 can (e.g., in response to receiving the error message)compare the original IMSI associated with communication device 1110 tothe list of designated IMSIs and the subset of the designated IMSIs todetermine the status of the original IMSI (reassigned vs notreassigned). The identity proxy function 1050 can further determine theidentity of the communication device 1110 (original vs new device) basedon device identification information (e.g., an IMEI, GUTI and so forth).

In one embodiment, where the error message does not include any deviceidentification information and/or the IMSI, the identity proxy function1050 can ascertain the device identification information and/or IMSIfrom the registration request that was previously received orintercepted. For instance, when the identity proxy function 1050 detectsa registration error message (e.g., an AUTHENTICATION REJECT messagefrom an MME), the identity proxy function 1050 can detect within themessage addressing information, message ID information, correlation IDinformation, and so forth, and can further correlate the error messagewith the stored registration request previously intercepted. Thisenables the IMSI and/or device identification information (e.g., GUTI orIMEI) to be determined.

Continuing with this example and based on this information, reassignmentof another IMSI from the listing of the designated IMSIs orauthorization use of the original IMSI can be implemented. In oneembodiment, the identity provisioning function 1099 can notify the HLRor HSS that the user is valid and the HLR or HSS can perform a databaseupdate to enable a subsequent registration utilizing the reassigned IMSIby the device. In this example, the identity proxy function 1050 canalso take action, such as preventing forwarding of the failedregistration to the device, to cause the device to reattempt theregistration. In one embodiment, a determination of a subscriber'seligibility for services can be made. Eligibility for services can bebased on various factors such as suspension of services for non-paymentor other reasons, the device/UICC is no longer compatible with networkor services, and so forth. In another embodiment, a determination of acompatibility of service with a UICC of the communication device 1110can be made. One or both of these determinations can be part of decidingwhether to reassign another IMSI from the listing of the designatedIMSIs, to authorize use of the original IMSI, or to deny services to thecommunication device 1110. These determinations can be made by theidentity provisioning function 1099 or can be made by another networkelement.

If it is determined that an IMSI from the listing of designated IMSIs(which has not yet been reassigned) is to be reassigned to thecommunication device 1110, then at 1104 provisioning information can beprovided by the identity provisioning function 1099 to the registrationfunction 1060 which will enable the communication device to registerwith the network utilizing the reassigned IMSI in conjunction with anoriginal secret key that is associated with the communication device. Inone embodiment, if it is determined that the communication device 1110is to be permitted to reuse its original IMSI (where the original IMSIhas not yet been reassigned to another device), then provisioninginformation can be provided by the identity provisioning function 1099to the registration function 1060 which will enable the communicationdevice to register with the network utilizing the original IMSI inconjunction with the original secret key that is associated with thecommunication device.

If it is determined that a reassigned IMSI is to be provisioned to thecommunication device 1110, then at 1104 provisioning information can beprovided by the identity provisioning function 1099 to the communicationdevice 1110 which will include the reassigned IMSI. As an example, theidentity provisioning function 1099 can provide the reassigned IMSI tothe communication device 1110 utilizing an OTA interface according to anSMS protocol such as through use of a registration simulation platform(e.g., performing function similar to that of registration simulationplatform 675 in FIG. 6). In one embodiment, if it is determined that thecommunication device 1110 is not to be permitted to reuse its originalIMSI (e.g., another IMSI is to be reassigned or the communication device1110 is not eligible for services), then provisioning information can beprovided by the identity provisioning function 1099 to the communicationdevice 1110 to prevent the communication device from attempting toregister with the network utilizing the original IMSI. In oneembodiment, the identity provisioning function 1099 can furthercommunicate with various network elements (e.g., the identity proxyfunction 1050, HLR, HSS, EIR, and so forth) so that the network elementsare informed of the current state of IMSIs and/or communication devices.For example, if an original device is reassigned another IMSI or anoriginal device is nullified from using the original IMSI viaprovisioning information then the identity provisioning function 1099can remove the original IMSI (of that original device) from the listingof designated IMSIs. In these examples, the original IMSI can also thenbe assigned to another device (if not already reassigned).

At 1106 if another IMSI has been reassigned to the communication device1110 or reuse of the original IMSI has been authorized, then thecommunication device 1110 can re-register. For example, the provisioninginformation provided by the identity provisioning function 1099 to thecommunication device 1110 can cause the communication device to initiatea re-registration. The re-registration request can be received andprocessed by the registration function 1060 and based on theprovisioning procedures at steps 1104 and 1105, a successfulregistration message can be provided to the communication device 1110 at1107.

FIG. 12 depicts an illustrative embodiment of a method 1200 used bysystems 1000, 1100 for facilitating the re-use of IMSIs. One or more ofthe steps of method 1200 can be performed by the identity proxy function1050, the identity provisioning function 1099 and/or by other devicesdescribed in FIGS. 2-6 and 8-9. At 1202, an error message can bereceived that is associated with a communication device. For instance,the error message can result from a registration request that isgenerated by or caused to be generated by the communication deviceutilizing an IMSI that is part of the listing of designated IMSIs. As anexample in GSM, the identity proxy function 1050 can receive anauthentication failure message from a VLR. As another example in LTE,the identity proxy function 1050 can receive an authentication failuremessage from an MME. In one or more embodiments, the determination of anauthentication failure (e.g., by an HLR or HSS) can be based on an IMSIand secret key combination for a device that is flagged as inactive. Ifthere is no determination of an error (e.g., the IMSI is not included inthe listing of designated IMSIs or the IMSI has been reassigned to a newdevice and the registration request is from that new device) then method1200 can proceed to 1216 so that the registration process can becompleted which enables the communication device to obtain services viathe network.

At 1204, a screening of the IMSI can be performed by the identity proxyfunction 1050. For example, the identity proxy function 1050 candetermine whether the IMSI is included in the designated group of IMSIsand if so can further determine whether the IMSI is included in a subsetof the group which is further designated as having already beenreassigned to another communication device. If the IMSI is not part ofthe designated group of IMSIs then method 1200 can proceed to 1206 forthe authentication failure message to be delivered to the communicationdevice 1110. If on the other hand the IMSI is part of the designatedgroup of IMSIs then a determination can be made at 1206 as to whetherthe error message is for an original device that was associated with theIMSI (e.g., prior to being reassigned) or whether error message is forsome other device. The identification of the particular device can beperformed in a number of different ways, such as based on deviceidentification information (e.g., IMEI). In one embodiment, where theerror message does not include any device identification informationand/or the IMSI, the identity proxy function 1050 can ascertain thedevice identification information and/or IMSI from the registrationrequest that was previously received or intercepted. For instance, whenthe identity proxy function 1050 detects a registration error message(e.g., an AUTHENTICATION REJECT message from an MME), the identity proxyfunction 1050 can detect within the message addressing information,message ID information, correlation ID information, and so forth, andcan further correlate the error message with the stored registrationrequest previously intercepted. This enables the IMSI and/or deviceidentification information (e.g., GUTI or IMEI) to be determined.

If the error message is not for the original device (e.g., a device thatthe IMSI was previously associated with prior to being added to thelisting of designated IMSIs) then method 1200 can proceed to 1206 forthe authentication failure message to be delivered to the communicationdevice 1110. If on the other hand the error message is for the originaldevice then a determination can be made at 1210 as to whether thesubscriber of the original device is eligible for communicationservices. Eligibility for services can be based on various factors andcan be determined by various components or a combination of components,such as based on billing, device hardware requirements, device softwarerequirements, and so forth.

If the subscriber of the original device is not eligible forcommunication services then at 1212 provisioning information can beprovided to the original device (e.g., via OTA provisioning by theidentity provisioning function 1099 such as through use of theregistration simulation platform 675) that causes disabling the use ofthe original IMSI by the original device. In one embodiment, the IMSIcan then be removed from the listing of designated IMSIs.

If on the other hand the subscriber of the original device is eligiblefor communication services then at 1214 the original device can beauthorized to utilize the particular IMSI (e.g., if it is determinedthat the particular IMSI has not yet been reassigned) or the originaldevice can be provisioned, such as through use of the registrationsimulation platform 675, with another IMSI (e.g., if it is determinedthat the original IMSI has already been reassigned to another device)and registration of the device can be completed at 1216.

In one embodiment, the new IMSI reassigned to the original device can beselected from the listing of designated IMSI (which is not included inthe subset of IMSIs that has already been reassigned). In oneembodiment, the communication device 1110 can be instructed tore-register utilizing the new IMSI if one has been reassigned orutilizing the original IMSI if reuse of that original IMSI has beenauthorized.

While for purposes of simplicity of explanation, the respectiveprocesses are shown and described as a series of blocks in FIG. 12, itis to be understood and appreciated that the claimed subject matter isnot limited by the order of the blocks, as some blocks may occur indifferent orders and/or concurrently with other blocks from what isdepicted and described herein. Moreover, not all illustrated blocks maybe required to implement the methods described herein.

FIG. 13 illustrates a portion of a system 1300 that providescommunication services to end user devices or other devices, such ascommunication device 1310. System 1300 can be part of or combined withall or a portion of system 200 of FIG. 2, system 800 of FIG. 8, system1000 of FIG. 10, system 1100 of FIG. 11 or another network such as aGPRS or UMTS network. The communication device 1310 can be various typesof devices such as a mobile phone or other devices that utilize an IMSIfor establishing communication services. The types of communicationservices can vary including voice services, video, data and/ormessaging. System 1300 enables IMSI re-use by the same or othercommunication devices through use of an identity proxy function 1350(which can perform some or all of the functions described with respectto identity proxy functions 250, 850, 1050) and an identity provisioningfunction 1399 (which can perform some or all of the functions describedwith respect to identity proxy functions 350, 899, 1099). System 1300provides for registration of communication devices through use of aregistration function 1360, such as an MSC/VLR and/or HLR in a GSMnetwork or an MME and/or HSS in an LTE network, where an IMSI may or maynot be reassigned to the communication device via the identityprovisioning function 1399.

System 1300 may or may not include intermediate network components inthe message exchange paths. System 1300 illustrates an attemptedregistration by the communication device 1310 which has been flagged asinactive (e.g., services have been suspended, failure to register overthreshold time period, and so forth). The identity proxy function 1350facilitates registration of devices where the particular IMSI is abootstrap IMSI 1311 or an IMSI 1312 that the network does not want thecommunication device to utilize for registration, such as an IMSI thathas already been reassigned to another device. FIG. 13 illustrates bothof IMSIs 1311, 1312, but the communication device 1310 can have one orthe other of the IMSIs, such as stored in a UICC of the communicationdevice. In this embodiment, the identity proxy function 1350 canintercept or otherwise receive the IMSI, such as based on intercepting aregistration request (e.g., prior to the registration request beingprovided to an MSC/VLR and/or HLR in GSM as illustrated in FIG. 2 orprior to the registration request being provided to an MME and/or HSS inLTE as illustrated in FIG. 8). In another embodiment, the identity proxyfunction 1350 can intercept or otherwise receive the IMSI which isassociated with a registration error, such as an authentication failuremessage as illustrated in FIG. 11. A bootstrap IMSI 1311 can be an IMSIthat provides for limited functionality such as being limited tobootstrap functions (e.g., functions that enable communicating with thenetwork for administrative reasons including obtaining a reassignedIMSI), a pay for service mode, and so forth. For instance, a pay forservice mode can be implemented by the bootstrap IMSI 1311 by allowingregistration that enables access to a webpage for selecting and payingfor particular communication services, such as messaging, voice calls,and so forth. The bootstrap IMSI 1311 can differ from an original IMSI1312 in that the original IMSI can be utilized by a device (e.g., a newdevice reassigned the original IMSI or the original device that isre-authorized to utilize the IMSI) for accessing a full range ofavailable services whereas the default or bootstrap IMSI does notprovide access to the full range of available services, although thedefault or bootstrap IMSI could provide access to a webpage for pay forservice mode. In one embodiment, a same bootstrap IMSI 1311 can beutilized by numerous devices that have been flagged as inactive.

In one embodiment at 1301, the original device 1310 can requestregistration with the network where the identity proxy function 1350 candetermine whether or not the particular IMSI is part of a group ofdesignated IMSIs. In one embodiment, the group of designated IMSIs caninclude bootstrap IMSIs and/or IMSIs that the network does not wantutilized by the original devices (e.g., where the IMSI has already beenreassigned to another device). In one embodiment, bootstrap IMSIs can beIMSIs that provide for limited use by a communication device. Forinstance, the limited use of a bootstrap IMSI can include enablingcommunication with network element(s) for initiating or otherwisefacilitating a registration process and/or provisioning of another IMSIwithout enabling user communication services (e.g., voice, video, data,messaging) at the communication device utilizing the bootstrap IMSI.

In one embodiment, the identity proxy function 1350 can identify theparticular device requesting registration with the network. For example,device identification information (e.g., an IMEI or GUTI) can beobtained for the original device 1310, such as being received fromdevice 1310 (e.g., in the registration request) or obtained from anothernetwork element (e.g., from an Identification Request sent to the oldMME/SGSN to request the IMSI). As another example, if the IMSI has notyet been reassigned but is part of a group of IMSIs designated forpotential reassignment then the identity proxy function 1350 candetermine that the device requesting registration is the original device1310 that has been flagged as inactive. In another embodiment,identification of the device can be based on simulating a registrationprocess and forcing a generation of an SRES (in GSM) or RES (in LTE) bythe communication device 1310, as described herein.

In one embodiment, registration simulation platform 675 can be utilized(e.g., positioned between the communication device 1310 and the VLR inGSM or positioned between the communication device and the MME in LTE).As described herein, the simulating network can send an OTA message tothe device that can cause the modification of the device IMSI and cancause the device to perform a re-registration to the target network. Forexample, the simulating network can comprise a set of functionalelements that exist in the target network including an MSC/VLR, a MME, aHLR or HSS, an AUC, a SMSC, an OTA platform, a SGW, a PGW, an EIR and/orany combination thereof. In one embodiment, the registration simulationplatform 675 can simulate a registration of the communication device1310, identify the communication device from the secret key and/or fromother identification information (e.g., IMEI or GUTI) and/or can causethe communication device to change from the bootstrap IMSI 1311 to anactive IMSI via OTA.

In one embodiment, the identity proxy function 1350 and/or the identityprovisioning function 1399 can determine whether the original device1310 is eligible for services. If the original device 1310 is noteligible for services (e.g., suspension of services for non-payment orother reasons, device/UICC is no longer compatible with network orservices, and so forth) then the identity proxy function 1350 can causeor otherwise facilitate or enable provisioning information to beprovided (e.g., via the identity provisioning function 1399) to theoriginal device 1310 to cause the original device to disable its use ofan original IMSI 1312. In this example, the original IMSI 1312 can thenbe removed from the designated listing of IMSIs and can instead beincluded with other IMSIs (e.g., that have never been used before) thatare eligible for assignment.

In one embodiment, if the communication device 1310 is eligible forservices then the identity provisioning function 1399 can implement areassignment of another IMSI 1313 (e.g., from a listing of IMSIs thatare designated for reassignment) for the device 1310. For example at1302, responsive to a determination that an IMSI reassignment iswarranted (e.g., a bootstrap IMSI is being utilized, the original IMSIhas already been reassigned to another device, and/or a subscriber ofthe original device 1310 is eligible for services) then the identityproxy function 1350 can provide a request to the identity provisioningfunction 1399 for the other IMSI 1313 or the determination can be madeby the identity provisioning function 1399. In one embodiment, theoriginal device 1310 can continue to utilize its original secret key(which is mapped to the original device by the network such as in an HLRor HSS). In one embodiment, the determination of eligibility forservices can be made by the identity provisioning function 1399 suchthat the identity proxy function 1350 automatically transmits therequest to the identity provisioning function 1399 for another IMSIresponsive to a determination that the IMSI is in the listing ofdesignated IMSIs and the identity provisioning function 1399 can approveor deny the request.

Continuing with this example at 1303, the identity provisioning function1399 can notify various network elements (e.g., the HLR 260, the AUC270, an EIR, the HSS 860, and/or a national SIM manager) that thecommunication device 1310 is now associated with the particularreassigned IMSI 1313. In one embodiment, this transmitting of networkprovisioning data can cause the HLR 260 or HSS 860 to delete (orotherwise note the change of) an original IMSI assignment for thecommunication device 1310 and/or add the new IMSI assignment for thecommunication device 1310 in its database. In one embodiment, thisnotification can cause the HLR 260 or the HSS 860 to perform a databaseupdate such as re-mapping to particular HLR records, adjusting mappingwith respect to MSISDNs, adjusting an identification of availablecommunication services that the subscriber has requested or isauthorized to utilize, adjusting GPRS settings to allow the subscriberto access packet services, and so forth. In one or more embodiments, theHLR 260 and/or the HSS 860 may or may not have information correspondingto the bootstrap IMSI 1311.

In one embodiment at 1304, the identity provisioning function 1399 canprovide provisioning information to the communication device 1310, suchas via an OTA interface (e.g., using an SMS protocol such as throughregistration simulation platform 675). The provisioning information cancause the UICC to be adjusted so that the reassigned IMSI 1313 is nowutilized by the communication device 1310 for communication services. At1305, the communication device 1310 can then attempt to re-registerutilizing the reassigned IMSI 1313. The identity proxy function 1350 canreceive the re-registration request for the communication device 1310,which now includes the reassigned IMSI 1313, and at 1306-1308 theregistration process (e.g., via the VLR 245 and the HLR 260 in system200 or via the MME 840 and the HSS 860 in LTE) can be completed based onthe reassigned IMSI 1313. In one or more embodiments, the identityprovisioning function 1399 can provision an NSM with the reassigned IMSI1313 for the original device where the secret key of the original deviceis already known. In another embodiment, the identity provisioningfunction 1399 can be integrated with equipment of the NSM. In oneembodiment, a billing system can detect the change in IMSI for the UICCand can provision some or all other network elements necessary forenabling call processing (e.g., HLR 260, AUC 270, MME 840 and/or HSS860). In one embodiment, the identity proxy function 1350 and/or theidentity provisioning function 1399 can provide instructions to thecommunication device 1310 that causes the communication device toinitiate a re-registration utilizing the re-assigned IMSI 1313.

FIG. 14 depicts an illustrative embodiment of a method 1400 used bysystem 1300 for facilitating the reassignment of IMSIs where a device isattempting to register utilizing a bootstrap IMSI or utilizing an IMSIthat the network does not want the device to continue to utilize. One ormore of the steps of method 1400 can be performed by the identity proxyfunction 1350, the identity provisioning function 1399 and/or by otherdevices described in FIGS. 2-6, 8-11 and 13. At 1402, an IMSI can bereceived that is associated with a communication device. For instance,the IMSI can be part of a registration request that is generated by orcaused to be generated by the communication device 1310 or can beassociated with an authentication failure caused by use of theparticular IMSI (e.g., the IMSI has been reassigned and theIMSI/original secret key combination is no longer valid and thus cannotbe authenticated). At 1404, a determination of the status of the IMSIcan be made. For example, the identity proxy function 1350 can determinewhether the IMSI is included in a designated group of IMSIs (e.g., abootstrap IMSI or an IMSI that the network does not want the device tocontinue to utilize). In one embodiment, if the IMSI is not part of thedesignated group of IMSIs then the registration process can be continuedby forwarding the registration request and/or IMSI to the registrationfunction 1360 (e.g., MSC/VLR in GSM or MME in LTE) to perform theregistration at 1406. If on the other hand the IMSI is part of thedesignated group of IMSIs then a determination can be made at 1408 as towhether the registration request is for an original device that wasassociated with the IMSI (e.g., prior to being reassigned) or whetherthe registration request is for another device (e.g., a new device thathas been reassigned the IMSI). The identification of the particulardevice can be performed in a number of different ways, such as based ondevice identification information (e.g., IMEI or GUTI), simulating aregistration process to force an SRES or RES generation by the devicefrom which the device identification can be determined, and so forth.

In one embodiment, if the registration request and the IMSI are from anew device that has been reassigned the IMSI then the registrationprocess can be continued by forwarding the registration request and/orIMSI to the MSC/VLR (in GSM) or the MME (in LTE) to perform theregistration at 1406. In another embodiment, if the registration requestand the IMSI are from another device that has not been authorized toutilize the IMSI (and which is not the original device associated withthat IMSI) then an authentication failure can be generated. In oneembodiment, provisioning information can be sent to that particularcommunication device which is not authorized to utilize the IMSI, wherethe provisioning information causes nullification of the use of thatparticular IMSI by the UICC of that particular communication device.

If on the other hand the registration request and the IMSI are from anoriginal device (e.g., a device that the IMSI was previously associatedwith prior to being added to the listing of designated IMSIs) then adetermination can be made at 1410 as to whether the subscriber of theoriginal device is eligible for communication services. Eligibility forservices can be based on various factors and can be determined byvarious components or a combination of components, such as based onbilling, device hardware requirements, device software requirements,user requests, and so forth. In one embodiment, if the subscriber of theoriginal device is not eligible for communication services then at 1412provisioning information can be provided to the original device (e.g.,via OTA provisioning by the identity provisioning function 1399 such asthrough use of registration simulation platform 675) that causesdisabling the use of the particular IMSI by the original device (e.g.,where the IMSI is not bootstrap IMSI 1311 but rather is original IMSI1312). In one embodiment, if the IMSI 1312 has not already beenreassigned and the IMSI 1312 is not to be utilized by the communicationdevice 1310 then it can be removed from the listing of designated IMSIsto be provided to another communication device.

If on the other hand the subscriber of the original device is eligiblefor communication services then at 1414 the original device can beauthorized to utilize the particular IMSI (e.g., if it is determinedthat the particular IMSI has not yet been reassigned) or the originaldevice can be provisioned (e.g., utilizing registration simulationplatform 675) with another IMSI (e.g., if it is determined that theoriginal IMSI has already been reassigned to another device or if theIMSI is the bootstrap IMSI 1311). In one embodiment, the new IMSI 1313that is reassigned to the original device 1310 can be selected from alisting of designated IMSI that are to be reassigned to devices. Method1400 can then proceed to 1406 where the registration process iscompleted, such as by forwarding instructions to the communicationdevice 1310 to cause a re-registration. In one embodiment, if theoriginal device 1310 is utilizing the bootstrap IMSI 1311 andeligibility for services is approved then a new IMSI or the originalIMSI 1312 will need to be utilized by the original device to accessservices since the bootstrap IMSI does not provide direct access to theservices.

While for purposes of simplicity of explanation, the respectiveprocesses are shown and described as a series of blocks in FIG. 14, itis to be understood and appreciated that the claimed subject matter isnot limited by the order of the blocks, as some blocks may occur indifferent orders and/or concurrently with other blocks from what isdepicted and described herein. Moreover, not all illustrated blocks maybe required to implement the methods described herein.

In one or more embodiments, eligibility for services can be determinedaccording to a viability of the UICC, such as whether the UICC cancomply with requirements of the network (e.g., it can perform certainsecurity functions, provide certain notifications requested by thenetwork, and/or can facilitate certain communication services). In oneembodiment, if it is determined that the UICC is not viable or otherwiseis incompatible with the network then the subscriber of the originaldevice can be provided with a request to upgrade the UICC (which may ormay not utilize the same IMSI), such as forwarding a message includingan offer to the original device. In one embodiment, confirmation that aparticular IMSI is no longer being utilized by a communication devicecan result in that particular IMSI being removed from the listing ofdesignated IMSIs. One or more of the determinations described withrespect to any of the exemplary embodiments can be made by the identityproxy function 1350, the identity provisioning function 1399, or anothernetwork device.

In one or more embodiments, the communication device 1310 can have botha bootstrap IMSI 1311 and an original IMSI 1312 (e.g., stored in theUICC). In one embodiment, the communication device 1310 or the UICC canswitch from utilizing the original IMSI 1312 to utilizing the bootstrapIMSI 1311 responsive to detecting a triggering event. For example, acommunication device 1310 can monitor for a time period from a lastsuccessful registration of the communication device utilizing theoriginal IMSI 1312. If the time period exceeds a particular threshold(e.g., six months) then the communication device and/or the UICC canswitch to utilizing the bootstrap IMSI 1311.

In one or more embodiments, the communication device 1310 can beprovisioned with the bootstrap IMSI 1311 and may or may not continue tostore and/or utilize the original IMSI 1312 (e.g., stored in the UICC).For example, bootstrap IMSIs can be provisioned to all or some devicesvia the identity provisioning function 1399 utilizing an OTA interface,such as via SMS protocol (e.g., through use of registration simulationplatform 675). In one embodiment, particular communication devices canbe selected for receiving bootstrap IMSIs based on various criteria,such as based on older devices that are predicted to be going offline inthe near future, subscriber billing history, and so forth.

In one or more embodiments, the communication device 1310 can beprovisioned with a bootstrap IMSI 1311 at the time that the devicereceives its IMSI such as a reassigned IMSI 1313. In one or moreembodiments, the group of designated IMSIs can include a first subset ofIMSIs designated for limited use (e.g., bootstrap IMSIs), a secondsubset of IMSIs designated as having been reassigned to othercommunication devices, and/or a third subset of IMSIs designated forpotential reassignment but that have not yet been reassigned to othercommunication devices.

In one or more embodiments, the bootstrap IMSI 1311 can be utilized forproviding a subscriber with an option to obtain a reassigned IMSI (e.g.,via OTA provisioning by the identity provisioning function 1399 such asby utilizing registration simulation platform 675) and/or to obtain payfor services, such as access to a website that allows purchasingparticular services for particular lengths of times, and so forth. Inone embodiment, the same bootstrap IMSI can be utilized for multipledevice. In another embodiment, different bootstrap IMSIs can be utilizedfor different devices.

FIG. 15 illustrates a portion of a system 1500 that providescommunication services to end user devices or other devices, such ascommunication devices 1510-1510 n. System 1500 can be part of orcombined with all or a portion of system 200 of FIG. 2, system 1000 ofFIG. 10, system 1100 of FIG. 11, system 1300 of FIG. 13, or anothernetwork such as an EPS, GPRS or UMTS network. The communication devices1510-1510 n can be various types of devices such as an M2M device, anIoT device, a smart appliance, a utility meter, a fixed device, a mobiledevice, a vehicle communication system, or other devices that utilize anIMSI for establishing communication services. The types of communicationservices can vary including voice services, video, data and/ormessaging. System 1500 enables the same IMSI to be utilized by more thanone communication device such as through use of a steering function inconjunction with unique device identifiers. System 1500 provides forregistration of communication devices through use of a registrationfunction, such as an MSC/VLR and/or HLR in a GSM network.

System 1500 may or may not include intermediate network components inthe message exchange paths. System 1500 illustrates a registration by acommunication device 1510 utilizing an IMSI that is shared with one ormore other communication devices (illustrated as 1510 n). Each of thecommunication devices 1510-1510 n can have unique device identificationinformation (e.g., an IMEI, eUICC platform ID, MAC address, and soforth) and can also utilize their own secret keys for initiating and/orperforming the registration process (e.g., generating an SRES).

In one embodiment at 1501, a first communication device 1510 can requestregistration with the network where the registration request is receivedby the MSC/VLR 1545. In this embodiment the MSC and VLR are shown as onedevice but in another embodiment could also be separate devices. In oneembodiment, the first communication device 1510 can send both an IMSIand a unique device identifier (e.g., an IMEI) to the MSC/VLR 1545. Inanother embodiment, this unique device identifier can be identificationassociated with an eUICC. In another embodiment, a location updatemessage can be utilized for delivering this information to the MSC/VLR1545. Other techniques for obtaining the unique device identifier canalso be employed by system 1500, including use of registrationsimulation platform 675 of FIG. 6. In one embodiment, the MSC/VLR 1545can store the IMSI and the device identifier (e.g., indexed to eachother), and can use them to uniquely identify the first communicationdevice 1510 (against one or more other communication devices 1510 n thatmay attempt to register utilizing the same IMSI but would have differentdevice identifiers). In one embodiment, the MSC/VLR 1545 can have thecapability of distinguishing between a set of IMSI instances using theIMSI and a unique device identifier.

In one embodiment, the MSC/VLR 1545 can generate an authenticationrequest directed to an HLR 260, such as using (or otherwise including)both the IMSI and the device identifier. In one embodiment, a steeringfunction 1575 can intercept the authentication request and at 1502 cansteer it or otherwise transmit it to an HLR based on network policiesfor the IMSI and device identifier combination. In one embodiment, thesteering function 1575 can be integrated with the MSC/VLR 1545. Inanother embodiment, the steering function 1575 can be a separate device,such as interfacing with the MSC/VLR 1545 via a Diameter Routing Agent.As an example and as illustrated in FIG. 15, multiple HLRs 260 can beutilized where each HLR contains a single instance of a shared IMSI. Inthis example, the steering function 1575 can determine the appropriateHLR for receiving the authentication request according to the IMSI andthe device identifier. Continuing with this example, the HLR 260 may notneed to utilize (and/or know) the unique device identifier since it onlyhas one instance of the IMSI and can rely on that IMSI for its databaselookup. In another embodiment, a single HLR 260 can be used for sharedIMSIs, where the single HLR has the capability of distinguishingcommunication devices based on an IMSI and a mapping to a unique deviceidentifier as shown in the example of stored data at the HLR shown inFIG. 16.

In one or more embodiments, the combination of IMSI and deviceidentifier would be known by the MSC/VLR 1545, the steering function1575 and/or the HLR 260 (e.g., where a single HLR is being utilized)prior to an attempt at registration. Once the HLR 260 receives theauthentication request, the target HLR can provide authenticationtriplets to the MSC/VLR 1545 based on the IMSI (e.g., where multipleHLRs are being utilized that each have only one instance of the IMSI)and/or based on the combination of IMSI and unique device identifier(e.g., where a single HLR is being utilized that has multiple instancesof the IMSI that are each indexed by a different unique deviceidentifier). In one embodiment, the HLR 260 can communicate with the AUC270 for obtaining the authentication triplets. The MSC/VLR 1545 canreceive the authentication triplets from the HLR 260 and can initiatethe authentication procedure with the first communication device 1510.In one embodiment once authentication is successful, the MSC/VLR 1545can assign a unique temporary ID, such as a P-TMSI, to the firstcommunication device 1510. This unique temporary ID can allow each ofthe communication devices 1510-1510 n using the shared IMSI to be pagedon its own.

In one embodiment, system 1500 can operate without utilizing theregistration simulation platform 675 (e.g., illustrated in FIG. 6). Inanother embodiment, system 1500 can operate without utilizing theidentity proxy function 250 (e.g., illustrated in FIGS. 2 and 6)positioned between the MSC/VLR 1545 and the communication device 1510.In one embodiment, the functionality of the MSC/VLR 1545 and/or the HLR260 can be adjusted so that IMSI use by different devices can bedistinguished according to unique device identifiers (e.g., an IMEI). Inone embodiment, the combination of the IMSI and the unique deviceidentifier is known and stored by various network elements (e.g., one ormore of the MSC/VLR 1545, the steering function 1575, the HLR 260 and soforth) such as prior to any registration attempt. In one or moreembodiments, system 1500 can utilize an identity provisioning function1599 to provide various network elements (e.g., one or more of theMSC/VLR 1545, the steering function 1575, the HLR 260 and so forth) withnetwork provisioning data such as combinations of IMSIs and uniquedevice identifiers.

FIG. 17 illustrates a portion of a system 1700 that providescommunication services to end user devices or other devices, such ascommunication devices 1510-1510 n. System 1700 can be part of orcombined with all or a portion of system 800 of FIG. 8, system 1000 ofFIG. 10, system 1100 of FIG. 11, system 1300 of FIG. 13, or anothernetwork such as an EPS, GPRS or UMTS network. System 1700 can operatesimilar to system 1500 but can utilize protocols and componentsassociated with LTE communications. The communication devices 1510-1510n can be various types of devices such as an M2M device, an Iot device,a smart appliance, a utility meter, a fixed device, a mobile device, avehicle communication system, or other devices that utilize an IMSI forestablishing communication services. The types of communication servicescan vary including voice services, video, data and/or messaging. System1700 enables the same IMSI to be utilized by more than one communicationdevice such as through use of the steering function 1575 in conjunctionwith unique device identifiers. System 1700 provides for registration ofcommunication devices through use of a registration function, such as anMME and/or HSS in an LTE network. System 1700 may or may not includeintermediate network components in the message exchange paths. System1700 illustrates a registration by a communication device 1510 utilizingan IMSI that is shared with one or more other communication devices(illustrated as 1510 n). Each of the communication devices 1510-1510 ncan have unique device identification information, such as a GUTI, andcan also utilize their own secret keys for initiating and/or performingthe registration process.

In one embodiment at 1701, a first communication device 1510 can requestregistration with the network where the registration request is receivedby the MME 1740. In one embodiment, the first communication device 1510can send both an IMSI and a unique device identifier (e.g., a GUTI) tothe MME 1740, such as during an initial Attach procedure. In oneembodiment, this unique device identifier can be an eUICC platform ID.In another embodiment, multiple messages (Attach Request (IMSI) andIdentify Response (GUTI)) can be utilized for delivering thisinformation from the communication device 1510 to the MME 1740.Although, any number of messages can be utilized for obtaining the IMSIand unique device identification, such as a single message or two ormore messages. Other techniques can be utilized for obtaining the uniquedevice identification, such as an Identification Request sent to an oldMME/SGSN and/or use of registration simulation platform 675 of FIG. 6for forcing a RES generation. In one embodiment, the MME 1740 can storethe IMSI and the device identifier together (e.g., mapped to eachother), and can use them to uniquely identify the first communicationdevice 1510 (against one or more other communication devices 1510 n thatmay attempt to register utilizing the same IMSI but with differentdevice identifiers). In one embodiment, the MME 1740 can have thecapability of distinguishing between a set of IMSI instances using theIMSI and a unique device identifier.

In one embodiment, the MME 1740 can generate an authentication requestdirected to an HSS 860, such as using (or otherwise including) both theIMSI and the device identifier. In one embodiment, the steering function1575 can intercept the authentication request and at 1702 can steer itor otherwise transmit it to an HSS based on policies for the IMSI anddevice identifier combination. In one embodiment, the steering function1575 can be integrated with the MME 1740. In another embodiment, thesteering function 1575 can be a separate device, such as interfacingwith the MME 1740 via a Diameter Routing Agent. As an example and asillustrated in FIG. 17, multiple HSSs 860 can be utilized where each HSScontains a single instance of a shared IMSI. In this example, thesteering function 1575 can determine the appropriate HSS for receivingthe authentication request according to the IMSI and device identifier.Continuing with this example, the HSS 860 may not need to utilize(and/or know) the unique device identifier since it only has oneinstance of the IMSI and can rely on that IMSI. In another embodiment, asingle HSS 860 can be used for shared IMSIs, where the single HSS hasthe capability of distinguishing communication devices based on IMSI anda mapping to a unique device identifier (similar to the example ofstored data shown in FIG. 16).

In one or more embodiments, the combination of IMSI and deviceidentifier would be known by the MME 1740, the steering function 1575and/or the HSS 860 (e.g., where a single HSS is being utilized), such asprior to an attempt at registration. Once the HSS 860 receives theauthentication request, the target HSS can provide authenticationvectors to the MME 1740 based on the IMSI (e.g., where multiple HSSs arebeing utilized that each have only one instance of the IMSI) and/orbased on the combination of IMSI and unique device identifier (e.g.,where a single HSS is being utilized that has multiple instances of theIMSI that are each indexed by a unique device identifier). The MME 1740can receive the authentication vectors from the HSS 860 and can initiatethe authentication procedure with the first communication device 1510.In one embodiment once authentication is successful, the MME 1740 canassign a unique temporary ID, such as a P-TMSI or GUIT, to the firstcommunication device 1510. This unique temporary ID can allow each ofthe communication devices 1510-1510 n using the shared IMSI to be pagedon its own or to otherwise facilitate network services. For instance theunique temporary ID can be assigned to the first communication device1510 after a successful authentication or at some other time during orafter registration.

In one embodiment, system 1700 can operate without utilizing theregistration simulation platform 675. In another embodiment, system 1700can operate without utilizing the identity proxy function 850 positionedbetween the MME 1740 and the communication device 1510. In oneembodiment, the functionality of the MME 1740 and/or the HSS 860 can beadjusted so that IMSI use by different devices can be distinguishedaccording to unique device identifiers (e.g., a GUTI). In oneembodiment, the combination of the IMSI and the unique device identifieris known and stored by various network elements (e.g., one or more ofthe MME 1740, the steering function 1575, the HSS 860 and so forth) suchas prior to any registration attempt. In one or more embodiments, system1700 can utilize an identity provisioning function 1599 to providevarious network elements (e.g., one or more of the MME 1740, thesteering function 1575, the HSS 860 and so forth) with networkprovisioning data such as combinations of IMSIs and unique deviceidentifiers.

FIG. 18 depicts an illustrative embodiment of a method 1800 used bysystems 1500 and/or 1700 for facilitating the use of a same IMSI by morethan one communication device. One or more of the steps of method 1800can be performed by various network elements, such as a steeringfunction, a registration function, a VLR, an HLR, an MME, an HSS, and/orby other devices described in FIGS. 2-6, 8-11, 13, 15 and 17. At 1802,an IMSI can be received that is associated with a first communicationdevice attempting to register with a network, where the IMSI has beenassigned to one or more other communication devices which may or may notbe registered with that network. The one or more other communicationdevices can be located remotely from the first communication deviceand/or can be located in proximity thereto, such as at the samepremises. In one embodiment, the IMSI can be shared by communicationdevices associated with the same subscriber. In another embodiment, theIMSI can be shared by communication devices of a same type (e.g. a smartmeter) which may or may not be associated with the same subscriber andwhich may or may not be located in proximity or at the same premises. Inone embodiment, HLRs and/or HSSs can be established per subscriberand/or per groups of subscribers. In another embodiment, HLRs and/orHSSs can be established per premises, per groups of premises and/or pergeographic locations. In another embodiment, the HLRs and/or HSSs can beestablished according to device types (e.g. a smart meter) which may ormay not be associated with the same subscriber and which may or may notbe located in proximity or at the same premises.

For instance, the IMSI can be part of a registration request that isgenerated by or caused to be generated by the communication device 1510.At 1804, a determination of the status of the IMSI can be made. Forexample, a VLR or MME can determine that the IMSI is included in adesignated group of IMSIs that are shared by multiple devices. In oneembodiment, if the IMSI is not part of the designated group of IMSIsthen the registration process can be continued (with or withoutobtaining unique device identification information for the device) byforwarding the registration request and/or IMSI to the registrationfunction to perform the registration at 1806. If on the other hand theIMSI is part of the designated group of IMSIs then a determination of anidentity of the particular device requesting registration can beperformed. For example, the identification of the particular device canbe performed in a number of different ways, such as by receiving orrequesting device identification information (e.g., IMEI or GUTI)including via an Attach Request and/or Identify Response in an EPSsystem, simulating a registration process to force an SRES or RESgeneration by the device from which the device identification can bedetermined, and so forth.

In one embodiment at 1808 where multiple registration functions arebeing utilized that each include only one instance of the IMSI, aselection of a first registration function from among a group ofregistration functions according to the device identificationinformation can be performed. For instance, the group of registrationfunctions (e.g., HLRs or HSSs) can store subscriber informationincluding IMSIs that are indexed to device identifications. At 1810, anauthentication request can be transmitted to the selected firstregistration function (without being transmitted to any of the otherregistration functions), where the first registration function storesfirst subscriber information including the IMSI that is indexed to thefirst communication device and where a second registration function ofthe group of registration functions stores second subscriber informationincluding the single IMSI that is indexed to the second communicationdevice. In this example, the second registration function does not storethe first subscriber information and the first registration functiondoes not store the second subscriber information. The transmitting ofthe authentication request to the first registration function can enablethe first communication device to complete a registration process. Theuse of the same IMSI for more than one device as described with respectto FIGS. 15-18 can also be utilized with one or more features describedwith respect to other embodiments herein, such as OTA provisioningutilizing a registration simulation, bootstrap IMSIs for enablingprovisioning of a same IMSI to more than one device, disabling devicesfrom utilizing a shared IMSI such as for suspension of services, and soforth. In one or more embodiments, an identity proxy function and/or anidentity provisioning function can be used in conjunction with thesteering function 1575 for enabling various features described withrespect to the embodiments of FIGS. 2-14.

FIG. 19 illustrates a portion of a system 1900 that providescommunication services to end user devices or other devices, such ascommunication devices 1910A and 1910B. System 1900 can be part of orcombined with all or a portion of system 200 of FIG. 2, system 1000 ofFIG. 10, system 1100 of FIG. 11, system 1300 of FIG. 13, or anothernetwork such as an EPS, GPRS or UMTS network. The communication devices1910A and 1910B can be various types of devices such as an M2M device,an IoT device, a smart appliance, a utility meter, a fixed device, amobile device, a vehicle communication system, or other devices thatutilize an IMSI for establishing communication services. The types ofcommunication services can vary including voice services, video, dataand/or messaging. System 1900 enables the same IMSI to be utilized bymore than one communication device by segregating the locations of thedevices using the same IMSI. System 1900 provides for registration ofcommunication devices through use of a registration function, such as anMSC/VLR and/or HLR in a GSM network.

System 1900 may or may not include intermediate network components inthe message exchange paths. System 1900 illustrates a registration by acommunication device 1910A utilizing an IMSI that is shared with one ormore other communication devices (illustrated as 1910B). Each of thecommunication devices 1910A and 1910B can have unique deviceidentification information (e.g., an IMEI, eUICC ID information, MACaddress, and so forth) and can also utilize their own secret keys forinitiating and/or performing the registration process (e.g., generatingan SRES).

In one embodiment at 1901, a first communication device 1910A canrequest registration with the network where the registration request isreceived by the MSC/VLR 1945A. In this embodiment the MSC and VLR areshown as one device but in another embodiment could also be separatedevices. In one embodiment, the first communication device 1910A cansend an IMSI to the MSC/VLR 1945A.

In one embodiment, system 1900 can be configured such that a device witha shared IMSI does not or should not register with an MSC/VLR thatalready has a device with the same IMSI registered to it (or otherwisedesignated to that registration service area). For example, device 1910Acan be operating in Location Area A where the MSC/VLR 1945A is not partof an overlapping pool of MSC/VLRs into (or otherwise does not have aregistration service area that covers) Location Area B. In oneembodiment, the particular MSC/VLR 1945A can be selected from among agroup of MSC/VLRs based on the IMSI (or an IMSI hash) and/or otherdeterminative information including location data, such as by a RadioNetwork Controller (RNC). The Location Area can be a non-overlappinggrouping of cell sites within a VLR service area. In this example, therecan be only one instance of a shared IMSI per MSC/VLR registrationservice area such as a Location Area (e.g., location A or Location B).In another embodiment, the particular communication device (e.g., device1910A) can be intended to operate within that designated registrationservice area and/or movement of the particular communication can bemonitored to detect if the particular device moves out of thisdesignated registration service area. In one embodiment, the mapping ofthe IMSI to an HLR can be static and hard coded in the selected MSC/VLR1945A. In another embodiment, the process utilized in system 1900 can befor GSM devices that do not support GPRS, LTE and/or EPS communications.

In one or more embodiments, unique device identification information maynot be initially obtained with the IMSI. In one or more embodiments,unique device identification information may be obtained to facilitatethe registration process such as an IMEI, a unique device identifierassociated with an eUICC, and so forth. In another embodiment, alocation update message can be utilized for delivering the deviceidentification information to the MSC/VLR 1945A. Other techniques forobtaining the unique device identifier can also be employed by system1900, including use of registration simulation platform 675 of FIG. 6.

In one embodiment at 1902, the MSC/VLR 1945A can generate anauthentication request directed to an HLR 260A, such as using (orotherwise including) the IMSI. Continuing with this example, the HLR260A may not need to utilize (and/or know) any unique device identifiersince it only has one instance of the IMSI and can rely on that IMSI forits database lookup. Once the HLR 260A receives the authenticationrequest, the HLR can provide authentication triplets to the MSC/VLR1945A based on the IMSI. In one embodiment, the HLR 260A can communicatewith the AUC 270 for obtaining the authentication triplets. The MSC/VLR1945A can receive the authentication triplets from the HLR 260A and cancontinue the authentication procedure with the first communicationdevice 1910A to enable completion of the registration process. In oneembodiment, there can be one AUC per HLR. In another embodiment, the AUCcan have a mapping of the IMSI, HLR, and secret key.

In one embodiment, system 1900 may or may not operate without utilizingthe registration simulation platform 675 (e.g., illustrated in FIG. 6).In another embodiment, system 1900 may or may not operate withoututilizing the identity proxy function 250 (e.g., illustrated in FIGS. 2and 6) positioned between the MSC/VLR 1945A and the communication device1910A.

In one embodiment at 1903, a second communication device 1910B canrequest registration with the network where the registration request isreceived by the MSC/VLR 1945B. In this embodiment the MSC and VLR areshown as one device but in another embodiment could also be separatedevices. In one embodiment, the second communication device 1910B cansend an IMSI to the MSC/VLR 1945B. In one or more embodiments, a sameVLR can process multiple instances of an IMSI based on having access toand supporting additional information, such as device identity and/orlocation information.

In one embodiment, system 1900 can be configured such that a device witha shared IMSI does not or should not register with an MSC/VLR thatalready has a device with the same IMSI registered to it. For example,device 1910B can be operating in Location B where the MSC/VLR 1945B isnot part of an overlapping pool of MSC/VLRs into (or otherwise does nothave a registration service area that covers) Location A.

In one embodiment at 1904, the MSC/VLR 1945B can generate anauthentication request directed to an HLR 260B, such as using (orotherwise including) the IMSI. In this example, HLR 260A includessubscriber information for device 1910A (e.g., IMSI and IMEI₁) and doesnot include subscriber information for device 1910B. HLR 260B includessubscriber information for device 1910B (e.g., IMSI and IMEI₂) and doesnot include subscriber information for device 1910A. Authenticationtriplets can be obtained and the registration process can be completedfor device 1910B.

In one or more embodiments, system 1900 can utilize an identityprovisioning function 1999 to provide various network elements (e.g.,one or more of the MSC/VLR 1945A, 1945B, the HLR 260A, 260B, and/orother network elements) with network provisioning data such one or moreof IMSIs, unique device identifiers, and so forth.

In one or more embodiments, movement of a communication device can bemonitored. Responsive to a determination that the communication devicehas moved into a different registration service area (e.g., of anMSC/VLR or MME), actions can be taken to eliminate or mitigate anyregistration problems. For example, another IMSI can be reassigned tothe device that has newly moved into the registration service area ifthe previous IMSI is already being used by another device in thatregistration area. In one embodiment, the reassigning of the new IMSIcan be via an OTA interface, such as through use of the registrationsimulation platform 675. For example, an identity proxy function candetermine that a device with a shared IMSI has moved into anotherregistration service area. In another embodiment, an MSC/VLR or MME caninitiate an IMSI change. In one or more embodiments, an RNC can selectthe MSC/VLR from a pool based on two factors, the IMSI and locationarea. In one embodiment, the initial LOCATION UPDATE message can includethe IMSI and location area. In another embodiment, an address of the HLRcan be hardcoded into the MSC/VLR for the IMSI. In another embodiment,an address of the HLR can be hardcoded into the MSC/VLR for acombination of an IMSI and device location. In one embodiment, if theAUC is separate from the HLR, then the AUC can be mapped to one and onlyone HLR or the AUC can able to distinguish subscribers/users through thecombination of IMSI, HLR address, and secret keys. In one embodiment,the identity provisioning function can create the mappings between theIMSI, location, MSC/VLR, HLR, AUC (e.g., if separate), and/or any otherdevice identifier. In another embodiment, if the MSC/VLRs are notpooled, then the RNC can simply forward the registration message to theMSC/VLR it is attached to. In another embodiment, the movement ofdevices with shared IMSIs across MSC/VLR borders can be supported withthe identity proxy function. If one of these devices is moved to thelocation of another device, the identity proxy function can prevent“duplicate registrations” if the MSC/VLR is not capable of supportingmultiple instances of the same IMSI. One or more of these examplesdescribed herein can be applied to an MME as opposed to the MSC/VLR.

FIG. 20 illustrates a portion of a system 2000 that providescommunication services to end user devices or other devices, such ascommunication devices 1910A and 1910B. System 2000 can be part of orcombined with all or a portion of system 800 of FIG. 8, system 1000 ofFIG. 10, system 1100 of FIG. 11, system 1300 of FIG. 13, or anothernetwork such as an EPS, GPRS or UMTS network. The communication devices1910A and 1910B can be various types of devices such as an M2M device,an IoT device, a smart appliance, a utility meter, a fixed device, amobile device, a vehicle communication system, or other devices thatutilize an IMSI for establishing communication services. The types ofcommunication services can vary including voice services, video, dataand/or messaging. System 2000 enables the same IMSI to be utilized bymore than one communication device by segregating the locations of thedevices using the same IMSI. System 2000 provides for registration ofcommunication devices through use of a registration function, such as anMME and/or HSS in an LTE network.

System 2000 may or may not include intermediate network components inthe message exchange paths. System 2000 illustrates a registration by acommunication device 1910A utilizing an IMSI that is shared with one ormore other communication devices (illustrated as 1910B). Each of thecommunication devices 1910A and 1910B can have unique deviceidentification information (e.g., a GUTI, eUICC ID information, MACaddress, and so forth) and can also utilize their own secret keys forinitiating and/or performing the registration process (e.g., generatingan RES).

In one embodiment at 2001, a first communication device 1910A canrequest registration with the network where the registration request isreceived by the MME 2040A. In one embodiment, the first communicationdevice 1910A can send an IMSI to the MME 2040A.

In one embodiment, system 2000 can be configured such that a device witha shared IMSI does not or should not register with an MME that alreadyhas a device with the same IMSI registered to it (or otherwisedesignated to that registration service area). In one embodiment, anidentity proxy function can prevent or otherwise mitigate a shared IMSIfrom registration to an MME that already has the shared IMSI registeredfor a different device. In one embodiment, there is only one IMSI perMME service area unless the MME can support multiple instances of anIMSI. The constraint of one IMSI instance per Tracking Area (TA) canrelate to the process in which an eNB selects the MME.

In one embodiment, device 1910A can be operating in Tracking Area Awhere the MME 2040A is not part of an overlapping pool of MMEs into (orotherwise does not have a registration service area that covers)Tracking Area B. In another embodiment, the particular MME 2040A can beselected from among a group of MMEs based on the IMSI (or an IMSI hash)and/or other determinative information including location data (e.g.,TA), such as by the eNB. In this example, there can be only one instanceof a shared IMSI per MME registration service area such as the TA area(e.g., Tracking Area A or Tracking Area n B). In another embodiment, theparticular communication device (e.g., device 1910A) can be intended tooperate within that designated registration service area and/or movementof the particular communication can be monitored to detect if theparticular device moves out of this designated registration servicearea. In one embodiment, the mapping of the IMSI to an HSS can be staticand hard coded in the selected MME 2040A. In one embodiment as part ofthe UE Attach, the eNB can query a Domain Name Server (DNS) Server usingthe TA for the address of the MME it should provide to that UE. In oneembodiment, the query to the DNS server can be based on IMSI and TA.

In one or more embodiments, unique device identification information maynot be initially obtained with the IMSI. In one or more embodiments,unique device identification information may be obtained to facilitatethe registration process such as a GUTI, a unique device identifierassociated with an eUICC, and so forth. In another embodiment, anIdentify Response can be utilized for delivering this information fromthe communication device 1910A to the MME 2040A. Other techniques forobtaining the unique device identifier can also be employed by system2000, including use of registration simulation platform 675 of FIG. 8.

In one embodiment at 2002, the MME 2040A can generate an authenticationrequest directed to an HSS 860A, such as using (or otherwise including)the IMSI. Continuing with this example, the HSS 860A may not need toutilize (and/or know) any unique device identifier since it only has oneinstance of the IMSI and can rely on that IMSI for its database lookup.Once the HSS 860A receives the authentication request, the HSS canprovide authentication vectors to the MME 2040A based on the IMSI. TheMME 2040A can receive the authentication vectors from the HSS 860A andcan continue the authentication procedure with the first communicationdevice 1910A to enable completion of the registration process.

In one embodiment, system 2000 may or may not operate without utilizingthe registration simulation platform 675 (e.g., illustrated in FIG. 8).In another embodiment, system 2000 may or may not operate withoututilizing the identity proxy function 850 (e.g., illustrated in FIG. 8)positioned between the MME 2040A and the communication device 1910A.

In one embodiment at 2003, a second communication device 1910B canrequest registration with the network where the registration request isreceived by the MME 2040B. In one embodiment, the second communicationdevice 1910B can send an IMSI to the MME 2040B.

In one embodiment, system 2000 can be configured such that a device witha shared IMSI does not or should not register with an MME that alreadyhas a device with the same IMSI registered to it. For example, device1910B can be operating in Tracking Area B where the MME 2040B is notpart of an overlapping pool of MMEs into (or otherwise does not have aregistration service area that covers) Tracking Area B.

In one embodiment at 2004, the MME 2040B can generate an authenticationrequest directed to an HSS 860B, such as using (or otherwise including)the IMSI. In this example, HSS 860A includes subscriber information fordevice 1910A (e.g., IMSI and device identification) and does not includesubscriber information for device 1910B. HS S 860B includes subscriberinformation for device 1910B (e.g., IMSI and device identification) anddoes not include subscriber information for device 1910A. Authenticationvectors can be obtained and the registration process can be completedfor device 1910B.

In one or more embodiments, system 2000 can utilize an identityprovisioning function 1999 to provide various network elements (e.g.,one or more of the MME 1945A, 1945B, the HSS 860A, 860B, and/or othernetwork elements) with network provisioning data such one or more ofIMSIs, unique device identifiers, and so forth.

In one or more embodiments, movement of a communication device can bemonitored. Responsive to a determination that the communication devicehas moved into a different registration service area (e.g., of anMSC/VLR or MME), actions can be taken to eliminate or mitigate anyregistration problems. For example, another IMSI can be reassigned tothe device that has newly moved into the registration service area ifthe previous IMSI is already being used by another device in thatregistration area. In one embodiment, the reassigning of the new IMSIcan be via an OTA interface, such as through use of the registrationsimulation platform 675.

FIG. 21 depicts an illustrative embodiment of a method 2100 used bysystems 1900 and/or 2000 for facilitating the use of a same IMSI by morethan one communication device (e.g., Iot devices, M2M devices, fixedcommunication devices, or other types of communication devices). One ormore of the steps of method 2100 can be performed by various networkelements, such as a registration function, a VLR, an HLR, an MME, anHSS, and/or by other devices described in FIGS. 2-6, 8-11, 13, 15, 17,19 and 20. At 2102, an IMSI can be received that is associated with afirst communication device attempting to register with a network. TheIMSI can be assigned to more than one communication device. Thecommunication devices can be located remotely from each other, such asin different registration service areas. In one embodiment, the IMSI canbe shared by communication devices of a same type (e.g. a smart meter).In one embodiment, the HLRs and/or HSSs can be established according todevice types (e.g. utility reading devices).

For instance, the IMSI can be part of a registration request that isgenerated by or caused to be generated by a communication device. At2104, an appropriate network element, registration function or otherserver (e.g., an MSC/VLR or MME) can be selected (e.g., from among anavailable group) for processing the registration request. For example,the communication device can be operating in an area where either theMSC and/or MME are not part of an overlapping pool. In anotherembodiment for EPS, the eNBs can use both TA and IMSI to select the MME(e.g., from among an available group). In another embodiment, aselection of the MSC/VLR (e.g., from among an available group) can bebased on the IMSI (or IMSI hash) by the RNC. In these examples, therecan be only one instance of a shared IMSI per MSC or MME area and thedevice corresponding to this IMSI is intended not to move from thisarea. In one embodiment, a determination of whether the IMSI is a sharedIMSI can be made such as based on provisioning data provided by anidentity proxy function that notifies various network elements of sharedIMSIs, intended device locations, and so forth. For example, an MSC/VLRor MME can determine that the IMSI is included in a designated group ofIMSIs that are shared by multiple devices according to a list providedby the identity proxy function. In this example, if the IMSI is not partof the designated group of IMSIs then the registration process can becontinued (with or without selecting a particular MSC/VLR or MME).

In one embodiment at 2106 the registration process can be performed suchas by transmitting an authentication request from the selected MSC/VLRor MME to an HLR or HSS (respectively), where the HLR or HSS storesfirst subscriber information including the IMSI that is indexed to thefirst communication device without storing second subscriber informationincluding the single IMSI that is indexed to a second communicationdevice. In this example, a second registration function can store thesecond subscriber information but does not store the first subscriberinformation. The transmitting of the authentication request can enablethe first communication device to complete a registration process. Theuse of the same IMSI for more than one device as described with respectto FIGS. 19-21 can also be utilized with one or more features describedwith respect to other embodiments herein, such as OTA provisioningutilizing a registration simulation, bootstrap IMSIs for enablingprovisioning of a same IMSI to more than one device, disabling devicesfrom utilizing a shared IMSI such as for suspension of services, and soforth. In one or more embodiments, an identity proxy function and/or anidentity provisioning function can be used for enabling various featuresdescribed with respect to the embodiments of FIGS. 2-21.

In one or more embodiments, the use of shared IMSIs can be subject to ascreening process during registration to eliminate or mitigate anyregistration problems. For example, an identity proxy function 250, 850(illustrated in FIGS. 2 and 8, respectively) can be utilized so that ifa device moves into a registration service area where that shared IMSIis already being utilized then the identity proxy function can takeappropriate action, such as disabling use of the shared IMSI by thedevice that has moved and/or reassigned another IMSI to that particulardevice. In one embodiment, the identity proxy function 250, 850 can havea list of shared IMSIs and/or unique device identifiers for shared IMSIsand their corresponding devices that are being utilized in thatregistration service area. This information can be utilized as part ofthe screening process by obtaining the necessary information forcomparison to the listing as described herein in other embodiments.

In one or more embodiments, identity proxy and/or provisioning functionscan be used for management of shared IMSIs among two or more devices,including where one of the devices moves into a service area (e.g., aregistration service area of a VLR or MME) of another device. Forexample, an identity proxy function can determine that a registrationrequest is coming from a “new” device, such as a smart appliance thathas been moved into a new service area (as opposed to a smart appliancethat has already registered and/or is re-registering with the network).In one embodiment, the identity proxy function can intercept allregistration attempts using a shared IMSI and can then determine orotherwise identify the device that is requesting registration. Forexample, the identity proxy function can have policies (e.g., logic withregistration rules) instructing it to do so. In one embodiment, theidentity proxy function can simulate a registration and can cause theIMSI used by the device to be changed to another value (i.e., a newIMSI), such as where it is determined that the shared IMSI should not beused by the device (e.g., the shared IMSI is already being utilized by adevice in the particular service area, a limited use or pay-for-serviceIMSI is intended to be used by the particular device, and so forth).

In one or more embodiments, devices can move “locally” (i.e., within aVLR or MME service area) and re-register with the network. In thisexample, if there are no other instances of the shared IMSI in use(e.g., the IMSI is not already registered via the VLR or MME with thenetwork) then the identity proxy function can verify the identity of thedevice and can allow the registration request to go through (e.g., tothe VLR or MME) to complete the registration process. If an IMSIadjustment is desired or needed, then an OTA can be implemented tochange the IMSI if necessary.

In one or more embodiments, the device may move into a different VLR orMME service area. The identity of the device seeking registration can bedetermined using the identity proxy function. For example, the identityproxy function can be provisioned with logic to know that it needs toperform this check. If the IMSI is not in use in this service area,and/or other requirements are met (e.g., the particular subscriber isauthorized to move the device into this service area), the device can bepermitted to register utilizing the IMSI. If on the other hand there isanother use of the same IMSI by another device in that service area,then the identity proxy function can cause a registration simulation toenable an OTA change of the IMSI for the new device seekingregistration. This OTA change information can also be propagated toother network elements to facilitate registration or a subsequentregistration (at this service area or at a different service area). Inone or more embodiments, the “binding” or designation between a deviceand its intended location can be reflected in policies (e.g.,information) that are provided to the identity proxy function. In one ormore embodiments, notification of movement by a device into a newservice area and/or reassignment of a new IMSI to a device can beprovided to the subscriber of the particular device, such as via a userinterface of the device, a billing statement, a user interface ofanother device of the subscriber and so forth. In another embodiment,the reassignment of the IMSI to a device can be performed seamlesslywithout any notification to the subscriber.

In one or more embodiments, the network can send out a single OTAmessage to two or more devices using a designated transport key (e.g., asingle transport key), where the two or more devices are utilizing thesame IMSI. In this example, a first device can already be registeredwith the network and the second device can be the device that has movedinto the service area and is registering. Further to this example, onlythe device with the corresponding transport key can interpret themessage (e.g., a message causing the UICC to change the IMSI). The otherdevice(s) will not have the correct transport key and will not be ableto interpret the message so that their IMSI(s) remain unchanged. In oneembodiment, this OTA technique can be utilized with alternate accessnetwork such as Wi-Fi, Bluetooth, NFC, and/or a wired broadbandconnection. In one or more embodiments, paging a shared IMSI can resultin a response(s) being rejected by the VLR or MME, which are thenintercepted by the identity proxy function. In one embodiment, paging ashared IMSI can be performed by the network to determine how manyinstances of the IMSI are in use in a particular area. In oneembodiment, the VLR or MME can ignore a duplicate paging response. Forinstance, the identity proxy function can maintain a record of theinitial page which can be correlated to a response from the intendedrecipient of the device (i.e., the device that is intended to bereassigned a different IMSI).

FIG. 22 illustrates a portion of a system 2200 that providescommunication services to end user devices or other devices, such ascommunication device 2210. System 2200 can be part of or combined withall or a portion of system 800 of FIG. 8, system 1000 of FIG. 10, system1100 of FIG. 11, system 1300 of FIG. 13, or another network such as anEPS, GPRS or UMTS network. The communication device 2210 can be varioustypes of devices such as an M2M device, an IoT device, a smartappliance, a utility meter, a fixed device, a mobile device, a vehiclecommunication system, or other devices that utilize an IMSI forestablishing communication services. The types of communication servicescan vary including voice services, video, data and/or messaging. In oneembodiment, system 2200 enables the same IMSI to be utilized by morethan one communication device based on intended locations of devices. AReassignment of an IMSI can be implemented where it is detected that twoor more devices utilizing a same IMSI are present in a same area, suchas if a smart appliance is moved to a different home that is in a sameregistration area of a VLR or MME of another smart appliance thatutilizes the same IMSI. System 2200 can provide for registration ofcommunication devices through use of a registration function, such as anMCS/VLR and/or HLR in a GSM network or an MME and/or HSS in an LTEnetwork.

System 2200 may or may not include intermediate network components inthe message exchange paths. System 2200 illustrates a registration bythe communication device 2210 utilizing an IMSI 2212 that is shared withone or more other communication devices (not shown). Each of thecommunication devices sharing the same IMSI can have unique deviceidentification information (e.g., a IMEI, GUTI, eUICC ID information,MAC address, and so forth) and can also utilize their own secret keysfor initiating and/or performing the registration process (e.g.,generating a SRES or a RES).

In the example of system 2200, the IMSI 2212 being utilized bycommunication device 2210 is also being utilized by anothercommunication device (which may or may not be already registered withthe network). In this embodiment, an identity proxy function 2250 canintercept or otherwise receive the IMSI, such as based on intercepting aregistration request (e.g., prior to the registration request beingprovided to an MSC/VLR and/or HLR in GSM as illustrated in FIG. 2 orprior to the registration request being provided to an MME and/or HSS inLTE as illustrated in FIG. 8). In one embodiment, the IMSI 2212 can be ashared bootstrap IMSI that provides for limited functionality such asbeing limited to bootstrap functions (e.g., functions that enablecommunicating with the network for administrative reasons includingobtaining another IMSI), a pay for service mode, and so forth.

In one embodiment at 2201, the communication device 2210 can requestregistration with the network where the identity proxy function 2250 candetermine whether or not the particular IMSI is part of a group ofdesignated IMSIs. In one embodiment, the group of designated IMSIs caninclude IMSIs that have been shared among more than one device. Inanother embodiment, the shared IMSIs are intended to be utilized bydevices that are in different locations so that registration conflictsdo not arise. For instance, the same IMSI can be utilized to registertwo different communication devices without creating a registrationconflict where the devices are in different registration areasassociated with different registration functions, such as different VLRsor different MMEs and different HLRs or different HSSs.

In one embodiment, the identity proxy function 2250 can identify theparticular device requesting registration with the network. For example,device identification information (e.g., an IMEI or GUTI) can beobtained for the communication device 2210, such as being received fromdevice 2210 (e.g., in the registration request) or obtained from anothernetwork element (e.g., from an Identification Request sent to the oldMME/SGSN to request the IMSI). In one embodiment, identification of thecommunication device 2210 can be based on simulating a registrationprocess and forcing a generation of an SRES (in GSM) or RES (in LTE) bythe communication device 2210, as described herein.

In one embodiment, registration simulation platform 675 can be utilized(e.g., positioned between the communication device 2210 and the VLR inGSM or positioned between the communication device and the MME in LTE).As described herein, the registration simulation platform 675 can sendan OTA message to the communication device 2210 that can cause themodification of the device IMSI and can cause the device to perform are-registration to the target network. For example, the registrationsimulation platform 675 can comprise a set of functional elements thatexist in the target network including an MSC/VLR, a MME, a HLR or HSS,an AUC, a SMSC, an OTA platform, a SGW, a PGW, an EIR and/or anycombination thereof. In one embodiment, the registration simulationplatform 675 can simulate a registration of the communication device2210, identify the communication device from the secret key and/or fromother identification information (e.g., IMEI or GUTI) and/or can causethe communication device to change from the IMSI 2211 to a new IMSI 2213via OTA. The new IMSI 2213 can be from various sources, such as from alisting of IMSIs that are designated for reassignment and not to beshared, a listing of IMSIs that are designated for reassignment and areto be shared such as a shared IMSI that is currently being utilized in adifferent service area, and so forth.

In one embodiment, the identity proxy function 2250 and/or the identityprovisioning function 2299 can determine whether the original device2210 is eligible for services. If the device 2210 is not eligible forservices (e.g., device is not authorized to operate in the service areaof the particular VLR or MME, suspension of services for non-payment orother reasons, device/UICC is not compatible with network or services,and so forth) then the identity proxy function 2250 can cause orotherwise facilitate or enable provisioning information to be provided(e.g., via the identity provisioning function 2299) to the device 2210to cause the device to disable its use of the IMSI 2212. In oneembodiment, the IMSI 2212 can then be removed from the designatedlisting of shared IMSIs.

In one embodiment, if the communication device 2210 is eligible forservices but the shared IMSI is already being utilized in the servicearea by another device then the identity provisioning function 2299 canimplement a reassignment of another IMSI 2213 for the device 2210. Forexample at 2202, responsive to a determination that an IMSI reassignmentis warranted, the identity proxy function 2250 can provide a request tothe identity provisioning function 2299 for the other IMSI 2213 or thedetermination can be made by the identity provisioning function 2299. Inone embodiment, the device 2210 can continue to utilize its originalsecret key (which is mapped to the original device by the network suchas in an HLR or HSS). In one embodiment, the determination ofeligibility for services can be made by the identity provisioningfunction 2299 such that the identity proxy function 2250 automaticallytransmits the request to the identity provisioning function 2299 foranother IMSI responsive to a determination that the shared IMSI is beingutilized by a device that is new to the service area and/or that anotherdevice is already registered with the shared IMSI, and the identityprovisioning function 2299 can approve or deny the request.

Continuing with this example at 2203, the identity provisioning function2299 can notify various network elements (e.g., the HLR 260, the AUC270, an EIR, the HSS 860, and/or a national SIM manager) that thecommunication device 2210 is now associated with the particularreassigned IMSI 2213. In one embodiment, this transmitting of networkprovisioning data can cause the HLR 260 or HSS 860 to delete (orotherwise note the change of) an original IMSI assignment for thecommunication device 2210 and/or add the new IMSI assignment for thecommunication device 2210 in its database. In one embodiment, thisnotification can cause the HLR 260 or the HSS 860 to perform a databaseupdate such as re-mapping to particular HLR records, adjusting mappingwith respect to MSISDNs, adjusting an identification of availablecommunication services that the subscriber has requested or isauthorized to utilize, adjusting GPRS settings to allow the subscriberto access packet services, and so forth.

In one embodiment at 2204, the identity provisioning function 2299 canprovide provisioning information to the communication device 2210, suchas via an OTA interface (e.g., using an SMS protocol such as throughregistration simulation platform 675). The provisioning information cancause the UICC to be adjusted so that the reassigned IMSI 2213 is nowutilized by the communication device 2210 for communication services. At2205, the communication device 2210 can then attempt to re-registerutilizing the reassigned IMSI 2213. The identity proxy function 2250 canreceive the re-registration request for the communication device 2210,which now includes the reassigned IMSI 2213, and at 2206-2208 theregistration process (e.g., via the VLR 245 and the HLR 260 in system200 or via the MME 840 and the HSS 860 in LTE) can be completed based onthe reassigned IMSI 2213. In one or more embodiments, the identityprovisioning function 2299 can provision an NSM with the reassigned IMSI2213 for the device 2210 where the secret key of the device 2210 isalready known. In another embodiment, the identity provisioning function2299 can be integrated with equipment of the NSM. In one embodiment, abilling system can detect the change in IMSI for the UICC and canprovision some or all other network elements necessary for enabling callprocessing (e.g., HLR 260, AUC 270, MME 840 and/or HSS 860). In oneembodiment, the identity proxy function 2250 and/or the identityprovisioning function 2299 can provide instructions to the communicationdevice 2210 that causes the communication device to initiate are-registration utilizing the re-assigned IMSI 1313.

In one embodiment, the identity proxy function 2250 and/or the identityprovisioning function can determine that the communication device 2210has been moved to a different location (i.e., a different service areaof a VLR or MME). The different location can be one where another deviceis using the same shared IMSI. In one embodiment, a temporary orparticular IMSI can be reassigned to devices entering the differentlocation. For instance, a reassigned temporary IMSI can limit servicesof the device while it is present in the different location, such aslimiting type, amount and/or time of services. In one embodiment, thedevice can be reassigned the previous shared IMSI upon returning to itsoriginal location. In one embodiment, the identity proxy function 2250can determine whether the device has been moved based on informationassociated with a registration request, such as the location area,tracking area, etc.

FIG. 23 depicts an illustrative embodiment of a method 2300 used bysystem 2200 for facilitating the reassignment of IMSIs where a device isattempting to register in a location where the same IMSI is being usedby another device. One or more of the steps of method 2300 can beperformed by the identity proxy function 2250, the identity provisioningfunction 2299 and/or by other devices described in FIGS. 2-6, 8-11, 13,15, 17, 19-20, and 22. At 2302, an IMSI can be received that isassociated with a communication device. For instance, the IMSI can bepart of a registration request that is generated by or caused to begenerated by the communication device 2210. At 2304, a determination ofthe status of the IMSI can be made. For example, the identity proxyfunction 2250 can determine whether the IMSI is included in a designatedgroup of IMSIs that are shared amongst devices (e.g., devices that areintended to operate in different service areas of a VLR or MME). In oneembodiment, if the IMSI is not part of the designated group of IMSIsthen the registration process can be continued by forwarding theregistration request and/or IMSI to the registration function 2260(e.g., MSC/VLR in GSM or MME in LTE) to perform the registration at2306. If on the other hand the IMSI is part of the designated group ofIMSIs then a determination can be made at 2308 as to whether theregistration request is for a device that is operating in an authorizedlocation. The identification of the particular device can be performedin a number of different ways, such as based on device identificationinformation (e.g., IMEI or GUTI), simulating a registration process toforce an SRES or RES generation by the device from which the deviceidentification can be determined, and so forth. In one embodiment, theidentity proxy function 2250 can have access to a mapping of devicesthat have shared IMSIs and that are authorized to operate in theparticular service area of the VLR or MME.

In one embodiment at 2308, if the registration request and the IMSI arefrom a device that is authorized to operate in the service area then theregistration process can be continued by forwarding the registrationrequest and/or IMSI to the MSC/VLR (in GSM) or the MME (in LTE) toperform the registration at 2306. For instance, a smart appliance may bemoved within a premises or otherwise become unregistered with thenetwork and may be seeking re-registration. If on the other hand, theregistration request and the IMSI are from another device that has notbeen authorized to operate in the service area then a determination canbe made at 2310 as to whether the subscriber of the device is eligiblefor communication services. Eligibility for services can be based onvarious factors and can be determined by various components or acombination of components, such as based on billing, device hardwarerequirements, device software requirements, user requests, and so forth.

In one embodiment, if the subscriber of the device is not eligible forcommunication services then at 2312 provisioning information can beprovided to the original device (e.g., via OTA provisioning by theidentity provisioning function 2299 such as through use of registrationsimulation platform 675) that causes disabling the use of the particularIMSI by the device. If on the other hand, the subscriber of the deviceis eligible for communication services then at 2314 the device can beprovisioned (e.g., utilizing registration simulation platform 675) withanother IMSI. In one embodiment, the new IMSI 2213 that is reassigned tothe device 2210 can be selected from a listing of designated IMSI thatare to be reassigned to devices and/or that may be shared with anotherdevice in a different service area. Method 2300 can then proceed to 2306where the registration process is completed, such as by forwardinginstructions to the communication device 2210 to cause are-registration. In one embodiment, the device 2210 upon detecting thatit is outside of its intended service area can utilize a bootstrap IMSIfor registration and a new IMSI can be utilized by the device to accessservices since the bootstrap IMSI may not provide direct access to theservices.

In another embodiment, a second communication device can be re-assigneda temporary IMSI (with full or limited services) when a firstcommunication device is already registered to the network using theshared IMSI. In another embodiment, when the first communication deviceis no longer registered to the network then the second communicationdevice can be reassigned the original IMSI that is previously hadutilized.

While for purposes of simplicity of explanation, the respectiveprocesses are shown and described as a series of blocks in FIG. 23, itis to be understood and appreciated that the claimed subject matter isnot limited by the order of the blocks, as some blocks may occur indifferent orders and/or concurrently with other blocks from what isdepicted and described herein. Moreover, not all illustrated blocks maybe required to implement the methods described herein.

In one embodiment, a first device can register with a shared IMSI andthe identity proxy function can intercept a registration request from asecond device attempting to register with the same IMSI. If the IMEI (orother device identification) of the second device is not provided duringregistration and/or is not in an accessible database, then the identityproxy function can simulate operations of a VLR or MME to cause an SRESor RES to identify the second device. In one embodiment, the seconddevice can register with a simulated VLR or MME. The simulated VLR orMME can perform device paging. In one embodiment, a paging area can bereduced to mitigate or avoid a registration conflict, where the pagingarea is focused on a particular location of the second device to avoidpaging the first device. In one embodiment, the identity provisioningfunction can provide OTA provisioning to the second device using atransport key of the second device. The first device can ignore the OTAmessage because the transport key of the first device is different fromthe transport key in the OTA message. The second device can receive andcomprehend the OTA messaging because it uses the corresponding transportkey. The OTA provisioning can cause a new IMSI (e.g., a temporary IMSIor another shared IMSI where it is shared with a device in a differentservice area) to be programmed in second device to avoid conflict whileboth devices are in the same service area (i.e., on the same VLR orMME). In one embodiment, the reassignment of IMSIs is performed ondevices having a UICC that is programmed with a transport key. Inanother embodiment, the identity proxy function and/or identityprovisioning function can determine whether a re-located deviceattempting to register with a shared IMSI has a transport key as acondition for reassignment of an IMSI.

In one embodiment, a first device has registered with the network and ispageable through its IMSI. The first device may not be assigned a TMSIor GUTI. If the first device is assigned a TMSI or GUTI, the network,after failed paging attempts, can page the largest area possible withthe IMSI. Continuing with this example, a second device attempts toregister with the same IMSI. This registration can be intercepted by theidentity proxy function and can be diverted to a registration simulationplatform 675. The registration simulation platform 675 can simulate aregistration. In one embodiment, the registration simulation platform675 can assign a unique TMSI or GUTI, thus minimizing the likelihood ofa duplicate page response. In one embodiment, the registrationsimulation platform 675 can be set up to not page using the IMSI and tolimit the size of the paging area it uses. This can prevent or mitigatethe first device from responding to a page intended for the seconddevice. In one embodiment, the registration simulation platform 675 caninstruct the second device to change its IMSI. This can happen duringthe simulated registration or after the simulated registration throughthe use of paging and OTA. Once the second device has a different IMSI,then there is no longer a situation where paging either IMSI results inmultiple responses. In one or more embodiments, paging and OTAprovisioning are facilitated by assignment of a TMSI or GUTI by theregistration simulation platform 675 and by not using the IMSI forpaging. In one embodiment, once the second device successfully registerswith the registration simulation platform 675 utilizing the originalshared IMSI 2212, a trigger can be sent (e.g., via the identity proxyfunction 2250) to an OTA platform with its IMSI and/or otherinformation. The OTA platform can then send an update using the keys ofthe original IMSI (e.g., where there is no more than one additionalIMSIs).

In one or more embodiments, the network and/or communication devices canbe adapted to support paging where multiple devices are utilizing thesame IMSI in a particular service area. In one example, the paging canbe performed utilizing the shared IMSI and also including some otherinformation that is unique to the intended recipient device, such as adevice identification. In this example, a response to the page can begenerated by the intended recipient device while another device usingthe same IMSI will not respond to the page because the unique identifierwill not match this other device. Continuing with this example, thenetwork element(s) can be adapted to adjust paging techniques to includethis unique device identification information and the communicationdevices can be adapted to respond to paging that is directed to theparticular device.

In another embodiment, the network can be adapted to allow for pagingvia an IMSI where the network can distinguish which device is providingthe response. For instance, the network can have access to deviceidentification information mapped to particular IMSIs and authorizedlocations can determine whether the responding device is theunauthorized device that is being reassigned a new IMSI.

In one embodiment, a first device can register with its IMSI and theIMSI is not changed by the network, and a second device registrationwith the same IMSI can be intercepted, simulated by a registrationsimulation platform 675, and the IMSI is not yet changed by theregistration simulation platform 675. In this example, both devices areregistered using their IMSIs. In one embodiment, when either networkpages the device, the exemplary embodiments can mitigate or prevent bothdevices responding to the page, such as paging using a unique deviceidentifier or paging utilizing a TMSI or GUTI. In one embodiment, if theregistration simulation platform 675 pages the second device to changethe IMSI, it can restrict its paging message to a small area (i.e.,where the registration came from) to avoid the page being received bythe first device. If the first device were to respond to the page, itwould be responding to the network, not the registration simulationplatform 675. The network would have no record of paging the firstdevice and therefore the network could ignore the page response from thefirst device.

In one or more embodiments, device location can be monitored by thenetwork such as via the identity proxy function, the identityprovisioning function or some other device to facilitate determiningwhether a device is authorized or otherwise intended to be operating ina particular location.

FIG. 24 illustrates a portion of a system 2400 that providescommunication services to end user devices or other devices, such ascommunication device 2410. System 2400 can be part of or combined withall or a portion of system 800 of FIG. 8, system 1000 of FIG. 10, system1100 of FIG. 11, system 1300 of FIG. 13, or another network such as anEPS, GPRS or UMTS network. The communication device 2410 can be varioustypes of devices such as an M2M device, an IoT device, a smartappliance, a utility meter, a fixed device, a mobile device, a vehiclecommunication system, or other devices that utilize an IMSI forestablishing communication services. The types of communication servicescan vary including voice services, video, data and/or messaging.

In one embodiment, system 2400 enables the same IMSI to be utilized bymore than one communication device based on intended locations ofdevices where management of those IMSIs is based on registration errormessages. A reassignment of an IMSI can be implemented where it isdetected that two or more devices utilizing a same IMSI are present in asame area, such as if a smart appliance is moved to a different homethat is in a same registration area of a VLR or MME of another smartappliance that utilizes the same IMSI. System 2400 can provide forregistration of communication devices through use of a registrationfunction, such as an MSC/VLR and/or HLR in a GSM network or an MMEand/or HSS in an LTE network.

System 2400 may or may not include intermediate network components inthe message exchange paths. System 2400 illustrates an attemptedregistration by the communication device 2410 utilizing an IMSI 2412that is shared with another communication devices (not shown). The othercommunication device may or may not be registered with the network. Eachof the communication devices sharing the same IMSI can have uniquedevice identification information (e.g., an IMEI, GUTI, eUICC IDinformation, MAC address, and so forth) and can also utilize their ownsecret keys for initiating and/or performing the registration process(e.g., generating a SRES or a RES). In one or more embodiments, thesecret keys can be known to other network elements (e.g., variousregistration functions) and/or can be statically linked to, andmaintained by, the communication devices.

In one embodiment at 2401, the communication device 2410 can requestregistration with the network. A registration request (e.g., based upona shared IMSI that is among a listing of designated shared IMSIs knownto the network) can be received by the registration function 2460 (e.g.,an MSC/VLR in a GSM network or an MME in an LTE network). In oneembodiment, the registration request can also be received by theidentity proxy function 2450. For instance, the registration request canbe intercepted, or otherwise received by, the identity proxy function2450 and then forwarded to the registration function 2460.

A registration process can be initiated according to the shared IMSI2412 and a secret key that is associated with the communication device2410. The registration function 2460 can be aware of, or otherwise haveaccess to, the secret key that is associated with the communicationdevice 2410. Various registration processes can be applied to ensureauthentication of the device and/or subscriber, such as the registrationprocesses described herein with respect to GSM or LTE networks,including a comparison of SRES in GSM or a comparison of RES in LTE or acomparison of XRES in UMTS environment. In one embodiment, the group ofdesignated IMSIs is limited to sharing IMSIs between only two devices.In another embodiment, the group of designated IMSIs can include IMSIsthat have been shared among more than two devices.

In one embodiment, the shared IMSIs are intended to be utilized bydevices that are in different locations so that registration conflictsare avoided or otherwise mitigated. For instance, the same IMSI can beutilized to register two different communication devices withoutcreating a registration conflict where the devices are in differentregistration areas associated with different registration functions,such as different VLRs or different MMEs and different HLRs or differentHSSs.

In one embodiment at 2402, a registration error can be generated by theregistration function 2460 (e.g., an authentication failure messagegenerated by the MSC/VLR and/or HLR in GSM or by the MME and/or HSS inLTE) and can be received by the identity proxy function 2450 from theregistration function 2460. In this example, the identity proxy function2450 can intercept the authentication failure message prior to it beingreceived by the communication device 2410. The particular messaging thatmakes up the registration request, the registration process and/or theregistration error can vary. In one embodiment, the identity proxyfunction 2450 can determine that the registration error is a validregistration failure for a device that should not be attempting to usethe IMSI, such as a third device that is not the original deviceauthorized for the particular location and is not a new device that isnew to the location and is sharing the IMSI. In this example, theidentity proxy function 2450 can allow the error process (e.g., anauthentication failure messaging) to proceed, including delivering aregistration error to this third device which is not authorized to besharing the IMSI.

In one embodiment, where the error message does not include any deviceidentification information and/or the IMSI, the identity proxy function2450 can ascertain the device identification information and/or IMSIfrom the registration request that was previously received orintercepted. For instance, when the identity proxy function 2450 detectsa registration error message, the identity proxy function 2450 candetect within the message addressing information, message IDinformation, correlation ID information, and so forth, and can furthercorrelate the error message with the stored registration requestpreviously intercepted. This enables the IMSI and/or deviceidentification information (e.g., GUTI or IMEI) to be determined.

In one embodiment, the identity proxy function 2450 can identify theparticular device requesting registration with the network according todevice identification information (e.g., an IMEI or GUTI) obtained forthe communication device 2410, such as being received from device 2410(e.g., in the registration request) or obtained from another networkelement (e.g., from an Identification Request sent to the old MME/SGSNto request the IMSI). In one embodiment, identification of thecommunication device 2410 can be based on simulating a registrationprocess and forcing a generation of an SRES (in GSM) or RES (in LTE) bythe communication device 2410, as described herein.

In another embodiment at 2403, a request for reassignment of anotherIMSI (e.g., from the listing of the designated IMSIs) or authorizationto utilize the shared IMSI 2412 can be provided to the identityprovisioning function 2499 from the identity proxy function 2450. Forinstance, the identity proxy function 2450 can (e.g., in response toreceiving the error message) compare the shared IMSI 2412 associatedwith communication device 2410 to the list of designated IMSIs. Theidentity proxy function 2450 can further determine the identity of thecommunication device 2410 (authorized at the present location vs new tothe present location) based on device identification information (e.g.,an IMEI, GUTI and so forth).

Reassignment of another IMSI 2413 or authorization to use the sharedIMSI 2412 (e.g., where the shared IMSI is not being utilized in theparticular service area) can be implemented. In one embodiment, theidentity provisioning function 2499 can notify the HLR or HSS that theuser is valid and the HLR or HSS can perform a database update to enablea subsequent registration utilizing the reassigned IMSI 2413 by thedevice 2410. In this example, the identity proxy function 2450 can alsotake action, such as preventing forwarding of the failed registration tothe device 2410, to cause the device to reattempt the registration.

In one embodiment, a determination of a subscriber's eligibility forservices can be made. Eligibility for services can be based on variousfactors such as suspension of services for non-payment or other reasons,the device/UICC is no longer compatible with network or services, and soforth. In another embodiment, a determination of a compatibility ofservice with a UICC of the communication device 2410 can be made. One orboth of these determinations can be part of deciding whether to reassignanother IMSI 2413, to authorize use of the original IMSI 2412, or todeny services at this particular location to the communication device2410. These determinations can be made by the identity provisioningfunction 2499 or can be made by another network element.

If it is determined that the new IMSI 2413 is to be reassigned to thecommunication device 2410, then at 2404 provisioning information can beprovided by the identity provisioning function 2499 to the registrationfunction 2460 which will enable the communication device to registerwith the network utilizing the reassigned IMSI in conjunction with anoriginal secret key that is associated with the communication device. Inone embodiment, if it is determined that the communication device 2410is to be permitted to reuse its original IMSI 2412 (where the originalIMSI 2412 is not being used in this service area), then provisioninginformation can be provided by the identity provisioning function 2499to the registration function 2460 which will enable the communicationdevice to register with the network utilizing the original IMSI 2412 inconjunction with the original secret key that is associated with thecommunication device.

If it is determined that the new IMSI 2413 is to be provisioned to thecommunication device 2410, then at 2405 provisioning information can beprovided by the identity provisioning function 2499 to the communicationdevice 2410 which will include the reassigned IMSI 2413. As an example,the identity provisioning function 2499 can provide the reassigned IMSI2413 to the communication device 2410 utilizing an OTA interfaceaccording to an SMS protocol such as through use of the registrationsimulation platform 675. Other protocols can also be utilized for theOTA interface including being HTTP-based.

In one embodiment, if it is determined that the communication device2410 is not to be permitted to reuse its original IMSI 2412, thenprovisioning information can be provided by the identity provisioningfunction 2499 to the communication device 2410 to prevent thecommunication device from attempting to register with the networkutilizing the original IMSI 2412. In one embodiment, the identityprovisioning function 2499 can further communicate with various networkelements (e.g., the identity proxy function 2450, HLR, HSS, EIR, and soforth) so that the network elements are informed of the current state ofIMSIs and/or communication devices. For example, if an original deviceis reassigned another IMSI 2413 or an original device is nullified fromusing the original IMSI 2412 via provisioning information then theidentity provisioning function 2499 can remove the original IMSI (ofthat original device) from the listing of designated IMSIs. In theseexamples, the original IMSI 2412 can also then be assigned to anotherdevice (if not already reassigned). The device 2410 can be registered inorder for the identity provisioning function to change the device'sIMSI. This can be part of a simulated registration. In one embodiment,other techniques can be employed that enable OTA interfacing withdevices, such as special registration. For example, National IdentityRegister (NIR) equipment can register devices as warm devices (i.e.,providing limited services for non-customers) that allow OTA (e.g. viaSMS protocol) to occur. In one or more embodiments, the provisioning ofthe new IMSI can be performed by utilizing a limited registration thatresults in the device being a warm device while the IMSI is beingprovisioned via OTA to that device.

At 2406 if IMSI 2410 has been reassigned to the communication device2410, then the communication device 2410 can re-register. For example,the provisioning information provided by the identity provisioningfunction 2499 to the communication device 2410 can cause thecommunication device to initiate a re-registration. The re-registrationrequest can be received and processed by the registration function 2460and based on the provisioning procedures at steps 2404 and 2405, asuccessful registration message can be provided to the communicationdevice 2410 at 2407.

In one or more embodiments, the identity provisioning function 2499 canprovision an NSM with the reassigned IMSI 2413 for the device 2410 wherethe secret key of the device 2410 is already known. In anotherembodiment, the identity provisioning function 2499 can be integratedwith equipment of the NSM. In one embodiment, a billing system candetect the change in IMSI for the UICC and can provision some or allother network elements necessary for enabling call processing (e.g., HLR260, AUC 270, MME 840 and/or HSS 860). In one embodiment, the identityproxy function 2450 and/or the identity provisioning function 2499 canprovide instructions to the communication device 2410 that causes thecommunication device to initiate a re-registration utilizing there-assigned IMSI 2413.

In one embodiment, the identity proxy function 2450 and/or the identityprovisioning function can determine that the communication device 2410has been moved to a different location (i.e., a different service areaof a VLR or MME). The different location can be one where another deviceis using the same shared IMSI. In one embodiment, a temporary orparticular IMSI can be reassigned to devices entering the differentlocation. For instance, a reassigned temporary IMSI can limit servicesof the device while it is present in the different location, such aslimiting type, amount and/or time of services. In one embodiment, thedevice can be reassigned the previous shared IMSI upon returning to itsoriginal location. In one embodiment, the identity proxy function 2450can determine whether the device has been moved based on informationassociated with a registration request, such as the location area,tracking area, etc.

In one or more embodiments, paging and OTA provisioning are facilitatedby assignment of a TMSI or GUTI by the registration simulation platform675 and by not using the IMSI for paging. In one embodiment, once a newdevice successfully registers with the registration simulation platform675 utilizing the original shared IMSI 2412, a trigger can be sent(e.g., via the identity proxy function 2450) to an OTA platform. The OTAplatform can then send an update using the keys of the original IMSI(e.g., where there is no more than one additional IMSIs). In one or moreembodiments, the network and/or communication devices can be adapted tosupport paging where multiple devices are utilizing the same IMSI in aparticular service area. In one example, the paging can be performedutilizing the shared IMSI and also including some other information thatis unique to the intended recipient device, such as a deviceidentification.

In another embodiment, the network can be adapted to allow for pagingvia an IMSI where the network can distinguish which device is providingthe response. For instance, the network can have access to deviceidentification information mapped to particular IMSIs and authorizedlocations, and can determine whether the responding device is theunauthorized device that is being reassigned a new IMSI. In one or moreembodiments, device location can be monitored by the network such as viathe identity proxy function, the identity provisioning function or someother device to facilitate determining whether a device is authorized orotherwise intended to be operating in a particular location.

FIG. 25 depicts an illustrative embodiment of a method 2500 used bysystem 2400 for facilitating the reassignment of IMSIs where a device isattempting to register in a location where the same IMSI is being usedby another device. One or more of the steps of method 2500 can beperformed by the identity proxy function 2450, the identity provisioningfunction 2499 and/or by other devices described in FIGS. 2-6, 8-11, 13,15, 17, 19-20, 22, and 24. At 2502, a registration error message can bedetect or intercepted. For instance, the error message can result from aregistration request that is generated by or caused to be generated by acommunication device utilizing: one or more of a shared IMSI that ispart of the listing of designated IMSIs, a shared IMSI which is alreadyregistered to the network at that particular location, a shared IMSIwhere the device is not authorized to register at that particularlocation, and so forth. As an example in GSM, the identity proxyfunction 2450 can receive an authentication failure message from a VLR.As another example in LTE, the identity proxy function 2450 can receivean authentication failure message from an MME.

In one or more embodiments if there is no determination of an error(e.g., the IMSI is not included in the listing of designated IMSIs orthe IMSI is a shared IMSI being utilized by a device that is authorizedto register at the particular location) then method 2500 can proceed to2516 so that the registration process can be completed (using theoriginal IMSI) which enables the communication device to obtain servicesvia the network at that particular location.

At 2504, a determination can be made as to whether the error is based ona shared IMSI, such as comparing the IMSI to a list of designated sharedIMSIs (e.g., being utilized by devices that are intended to operate indifferent service areas of a VLR or MME). In one embodiment, if the IMSIis not part of the designated group of IMSIs or it is otherwisedetermined that the registration error was due to another reason (e.g.,the IMSI is a shared IMSI but the device is an unauthorized device) thenthe registration can be prevented or otherwise terminated at 2505, suchas via forwarding a registration failure message to the device and/ornotifying a network administrator device of the registration error.

If on the other hand the IMSI is part of the designated group of IMSIsthen a determination can be made at 2508 as to whether the registrationrequest is for a device that is operating in an authorized location. Theidentification of the particular device can be performed in a number ofdifferent ways, such as based on device identification information(e.g., IMEI or GUTI), simulating a registration process to force an SRESor RES generation by the device from which the device identification canbe determined, and so forth. In one embodiment, the identity proxyfunction 2450 can have access to a mapping of devices that have sharedIMSIs and that are authorized to operate in the particular service areaof the VLR or MME.

In one embodiment, if the registration request and the IMSI are from adevice that is authorized to operate in the service area then theregistration process can be continued by forwarding the registrationrequest and/or IMSI to the MSC/VLR (in GSM) or the MME (in LTE) toperform the registration at 2506. For instance, a utility meter maybecome unregistered with the network and may be seeking re-registration.If on the other hand, the registration request and the IMSI are fromanother device that has not been authorized to operate in the servicearea then a determination can be made at 2510 as to whether thesubscriber of the device is eligible for communication services.Eligibility for services can be based on various factors and can bedetermined by various components or a combination of components, such asbased on billing, device hardware requirements, device softwarerequirements, user requests, and so forth.

In one embodiment, if the subscriber of the device is not eligible forcommunication services then at 2512 provisioning information can beprovided to the device (e.g., via OTA provisioning by the identityprovisioning function 2599 such as through use of registrationsimulation platform 675) that causes disabling the use of the particularIMSI by the device. If on the other hand, the subscriber of the deviceis eligible for communication services then at 2514 the device can beprovisioned (e.g., utilizing registration simulation platform 675) withanother IMSI.

In one embodiment, the new IMSI 2413 that is reassigned to the device2410 can be selected from a listing of designated IMSI that are beingshared with another device(s) in a different service area so thatfurther registration conflicts are minimized or eliminated. Method 2500can then proceed to 2506 where the registration process is completed,such as by forwarding instructions to the communication device 2410 tocause a re-registration utilizing the new IMSI 2413.

In one or more embodiments, reassignment of an IMSI for a device thathas been re-located to a new service area can be based on other factors.For instance, a type of device can be detected and the decision toreassign can be based on that type, such as allowing reassignment ofIMSIs for a smart appliance that has moved to a new location butpreventing reassignment of an IMSI for a utility meter that is beingused in a new location. In another embodiment, reassignment of IMSIs fordevices that have re-located can be limited, such as allowing only aparticular number of reassignments or reassigning an IMSI that providesfor limited services.

While for purposes of simplicity of explanation, the respectiveprocesses are shown and described as a series of blocks in FIG. 25, itis to be understood and appreciated that the claimed subject matter isnot limited by the order of the blocks, as some blocks may occur indifferent orders and/or concurrently with other blocks from what isdepicted and described herein. Moreover, not all illustrated blocks maybe required to implement the methods described herein.

FIG. 26 illustrates a portion of a system 2600 that providescommunication services to end user devices or other devices, such ascommunication device 2610. System 2600 can be part of or combined withall or a portion of system 200 of FIG. 2, system 800 of FIG. 8, othersystems described herein, or another network such as an EPS, GPRS orUMTS network. The communication device 2610 can be various types ofdevices such as an M2M device, an IoT device, a smart appliance, autility meter, a fixed device, a mobile device, a vehicle communicationsystem, or other devices that utilize an IMSI for establishingcommunication services. The types of communication services can varyincluding voice services, video, data and/or messaging.

In one embodiment, system 2600 provides for provisioning (e.g., viaequipment 2601 of an entity such as a vendor or manufacturer of UICCs)of a generic IMSI 2612 (e.g., a single IMSI reserved for use by themanufacturer of the UICCs) to a group of UICCs. The group of UICCs canthen be provided to communication devices, such as UICC 2605 beingprovided to the communication device 2610 to enable the same IMSI 2612to be utilized by more than one communication device during aregistration process that results in reassignment of new IMSIs (e.g.,IMSI 2613 reassigned to UICC 2605 of communication device 2610).

In one embodiment, the generic IMSI 2612 can be received by theequipment 2601 of the entity from equipment of a service provider (e.g.,the service provider that is operating the identity proxy function 2650,the registration function 2660 and the identity provisioning function2699). In one embodiment, the identity provisioning function 2699 canprovide the generic IMSI 2612 to the equipment 2601 of the entity. Inone embodiment, the service provider can provide different generic IMSIsto different vendors or manufacturers of the UICCs. In this example, newIMSIs are not assigned to a device until the device registers with thenetwork (via the generic IMSI 2612) so that if a device (or UICC) doesnot register with the network (via the generic IMSI) the serviceprovider is not losing use of an IMSI. The new IMSI 2613 can be a fullservice IMSI which enables any services at the communication device forwhich the user of the device is subscribed. In one or more embodiments,the generic IMSI 2612 can be a limited service IMSI (e.g., a bootstrapIMSI) that enables communication with network elements but does notenable subscriber services (which are enabled for the communicationdevice 2610 after it registers with the network utilizing the new IMSI2613). In one or more embodiments, the equipment 2601 of the entity canreceive multiple generic IMSIs and can assign different generic IMSIs todifferent types of UICCs (e.g., a first group of UICCs that are intendedto be used in IoT devices receive generic IMSI X while a second group ofUICCs that are intended to be used in mobile phone devices receivegeneric IMSI Y).

In one or more embodiments, other information can be provisioned to theUICCs (e.g., by the equipment 2601) such as secret keys that are to beutilized in registering with a network (e.g., a secret key that enablesgenerating a RES, SRES, or XRES for authentication during registration).In one or more embodiments, secret key mapping information can beprovided by the equipment 2601 of the entity to the network, such as tothe identity provisioning function 2699. In this example, the secret keymapping information can be utilized as part of an authenticationprocess, such as comparison of a RES, SRES or XRES, confirmation ofidentification information being received in a registration request, andso forth. In one embodiment, other mapping information (e.g., eUICC orUICC identification) can be provided by the equipment 2601 of the entityto the network with or without the secret key mapping information.

System 2600 can provide for registration of communication devicesthrough use of a registration function 2660, such as an MCS/VLR and/orHLR in a GSM network or an MME and/or HSS in an LTE network. System 2600may or may not include intermediate network components in the messageexchange paths. System 2600 illustrates a first registration by thecommunication device 2610 utilizing generic IMSI 2612 that is shared byother UICCs manufactured by the entity. In one or more embodiments, eachof the UICCs sharing the generic IMSI 2612 can have uniqueidentification information (e.g., an Integrated Circuit Card Identifier(ICCID) or eUICC ID information) and can also utilize their own secretkeys for initiating and/or performing the registration process (e.g.,generating an SRES, RES or XRES). As described herein, this uniqueinformation can be provided to the network so that the network canidentify UICCs that are attempting to register with the network usingthe generic IMSI 2612.

In the example of system 2600, the identity proxy function 2650 canintercept or otherwise receive the IMSI, such as based on intercepting aregistration request (e.g., prior to the registration request beingprovided to an MSC/VLR and/or HLR in GSM as illustrated in FIG. 2 orprior to the registration request being provided to an MME and/or HSS inLTE as illustrated in FIG. 8). In one embodiment, the generic IMSI 2612can be a shared bootstrap IMSI that provides for limited functionalitysuch as being limited to bootstrap functions (e.g., functions thatenable communicating with the network for administrative reasonsincluding obtaining another IMSI). In one embodiment, the firstregistration request can include the identification information (e.g.,ICCID or eUICC ID information) along with the generic IMSI 2612. In oneembodiment, the device 2610 can be adapted so that it includes theidentification information and/or the generic IMSI 2612 in the firstregistration request. In one embodiment, the identity proxy function2650 can determine that the generic IMSI 2612 is a shared IMSI. In oneor more embodiments, the identity proxy function 2650 can identify (orconfirm an identity of) the particular device and/or the particular UICCrequesting registration with the network based on various techniques.For example, the identity proxy function 2650 can have access to amapping of information including the generic IMSI 2612, theidentification information and/or secret key information.

In another embodiment, identification of (or confirmation of theidentity of) the communication device 2610 can be based on simulating aregistration process and forcing a generation of an SRES, RES or XRES bythe communication device 2610, as described herein. In one embodiment,registration simulation platform 675 can be utilized (e.g., positionedbetween the communication device 2610 and the VLR in GSM or positionedbetween the communication device and the MME in LTE). For example, theregistration simulation platform 675 can comprise a set of functionalelements that exist in the target network including an MSC/VLR, MME, HLRor HSS, AUC, SMSC, OTA platform, SGW, PGW, EIR and/or any combinationthereof. In one embodiment, the registration simulation platform 675 cansimulate a registration of the communication device 2610 and canidentify the communication device from the secret key and/or from otheridentification information (e.g., ICCID or eUICC ID information).

In one embodiment, the identity proxy function 2650 and/or the identityprovisioning function 2699 can determine whether the communicationdevice 2610 is eligible for services. If the device 2610 is not eligiblefor services (e.g., suspension of services for non-payment or otherreasons, device/UICC is not compatible with network or services, and soforth) then the identity proxy function 2650 can cause or otherwisefacilitate or enable provisioning information to be provided (e.g., viathe identity provisioning function 2699) to the device 2610 to cause thedevice to disable its use of the generic IMSI 2612. In one embodiment,this can be performed via a simulated registration (e.g., using theregistration simulation platform 675) that utilizes the generic IMSI2612.

In one embodiment, if the communication device 2610 is eligible forservices then the identity provisioning function 2699 can implement areassignment of a new IMSI 2613 for the device 2610. The new IMSI 2613can be a full service IMSI which enables any services at thecommunication device for which the user of the device is subscribed. Inone embodiment, the new IMSI 2613 can be an IMSI that is not shared byany other device or shared by any other UICC. In another embodiment, thenew IMSI 2613 can be a shared IMSI that is being shared by anotherdevice(s) that is located in a different registration service area, suchas described with respect to systems 1900 and 2000 of FIGS. 19 and 20.

In one embodiment, responsive to a determination that an IMSIreassignment is warranted, the identity proxy function 2650 can providea request to the identity provisioning function 2699 for the new IMSI2613 or the determination can be made by the identity provisioningfunction 2699. In one embodiment, the communication device 2610 cancontinue to utilize its original secret key (which can be mapped to thecommunication device 2610 by the network such as in an HLR or HSSaccording to the secret key mapping information). In one embodiment, thedetermination of eligibility for services can be made by the identityprovisioning function 2699. For example, the identity proxy function2650 can automatically transmit a request to the identity provisioningfunction 2699 for another IMSI responsive to a determination that thegeneric IMSI 2612 is being utilized by a device. The determination towhether the new IMSI 2613 can be provisioned would then be made by theidentity provisioning function 2699.

As described herein, the registration simulation platform 675 can enablesending an OTA message to the communication device 2610 that can causethe modification of the device IMSI (e.g., storing the new IMSI 2613 inthe UICC 2605 and/or disabling use of the generic IMSI 2612 by thedevice) and can cause the device to perform a re-registration to thetarget network using the new IMSI 2613. In one embodiment, the identityproxy function 2650 and/or the identity provisioning function 2699 canprovide instructions to the communication device 2610 that causes thecommunication device to initiate the re-registration utilizing there-assigned IMSI 2613.

In one embodiment, the simulated registration can be performed based onmapping information that was received by the network from the equipment2601 of the entity. For example, the identity proxy function 2650 canhave access to mapping information that indicates what UICCs are using aparticular generic IMSI 2612 and further indicates the secret key beingutilized by that particular UICC. Based on this information, theidentity proxy function 2650 can facilitate the generation of a RES,SRES, XRES utilizing the correct secret key so that a comparison can bemade to a received response which includes the RES, SRES, XRES generatedby the communication device 2610. In one embodiment, the equipment 2601of the entity can update the mapping information provided to the networkresponsive to additional manufacturing of UICCs (e.g., additionalprovisioning of the generic IMSI 2612 and other secret keys to otherUICCs that have been manufactured).

Continuing with this example, the identity provisioning function 2699can notify various network elements (e.g., an HLR, AUC, EIR, HSS, and/orNSM) that the communication device 2610 is now associated with theparticular reassigned IMSI 2613. In one embodiment, this transmitting ofnetwork provisioning data can cause the HLR or HSS to delete (orotherwise note the change of) a generic IMSI assignment for thecommunication device 2610 and/or add the new IMSI assignment for thecommunication device 2610 in its database. In one embodiment, thisnotification can cause the HLR or the HSS to perform a database updatesuch as re-mapping to particular HLR records, adjusting mapping withrespect to MSISDNs, adjusting an identification of availablecommunication services that the subscriber has requested or isauthorized to utilize, adjusting GPRS settings to allow the subscriberto access packet services, and so forth. In one embodiment, thesimulated registration can be performed by the registration simulationplatform using the generic IMSI 2612 (without being performed by theregistration function 2660) and the second registration can be performedby the registration function 2660 using the new IMSI 2613 (without beingperformed by the registration simulation platform 675).

FIG. 27 illustrates a portion of a system 2700 that providescommunication services to end user devices or other devices, such ascommunication device 2710. System 2700 can be part of or combined withall or a portion of system 200 of FIG. 2, system 800 of FIG. 8, othersystems described herein, or another network such as an EPS, GPRS orUMTS network. In one embodiment, system 2700 provides for provisioning(e.g., via equipment 2701 of an entity such as a vendor or manufacturerof IoT devices) of a generic IMSI 2712 (e.g., a single IMSI reserved foruse by a device manufacturer) to a group of devices, such ascommunication device 2710 to enable the same IMSI 2712 to be utilized bymore than one communication device during a registration process thatresults in reassignment of new IMSIs (e.g., IMSI 2713 reassigned tocommunication device 2710). The communication device 2710 can be varioustypes of devices such as an M2M device, an IoT device, a smartappliance, a utility meter, a fixed device, a mobile device, a vehiclecommunication system, or other devices that utilize an IMSI forestablishing communication services. The types of communication servicescan vary including voice services, video, data and/or messaging.

In one embodiment, the generic IMSI 2712 can be received by theequipment 2701 of the entity from equipment of a service provider (e.g.,the service provider that is operating the identity proxy function 2750,the registration function 2760 and the identity provisioning function2799). In one embodiment, the identity provisioning function 2699 canprovide the generic IMSI 2712 to the equipment 2701 of the entity. Inone embodiment, the service provider can provide different generic IMSIsto different manufacturers of devices. In this example, new IMSIs arenot assigned to a device until the device registers with the network(via the generic IMSI 2712) so that if a device does not register withthe network (via the generic IMSI) the service provider is not losinguse of an IMSI. The new IMSI 2713 can be a full service IMSI whichenables any services at the communication device for which the user ofthe device is subscribed.

In one or more embodiments, the generic IMSI 2712 can be a limitedservice IMSI (e.g., a bootstrap IMSI) that enables communication withnetwork elements but does not enable subscriber services (which areenabled for the communication device 2710 after it registers with thenetwork utilizing the new IMSI 2713). In one or more embodiments, theequipment 2701 of the entity can receive multiple generic IMSIs and canassign different generic IMSIs to different types of devices (e.g., afirst group of smart utility meters receive generic IMSI X while asecond group of smart washing machines receive generic IMSI Y).

In one or more embodiments, other information can be provisioned to thedevices (e.g., by the equipment 2701) such as secret keys that are to beutilized in registering with a network (e.g., a secret key that enablesgenerating a RES, SRES, or XRES for authentication during registration).In one or more embodiments, secret key mapping information can beprovided by the equipment 2701 of the entity to the network, such as tothe identity provisioning function 2799. In this example, the secret keymapping information can be utilized as part of an authenticationprocess, such as comparison of a RES, SRES or XRES, confirmation ofidentification information being received in a registration request, andso forth. In one embodiment, other mapping information (e.g., eUICC,UICC, IMEI, GUTI, MAC address) can be provided by the equipment 2701 ofthe entity to the network with or without the secret key mappinginformation.

System 2700 can provide for registration of communication devicesthrough use of a registration function 2760, such as an MCS/VLR and/orHLR in a GSM network or an MME and/or HSS in an LTE network. System 2700may or may not include intermediate network components in the messageexchange paths. System 2700 illustrates a first registration by thecommunication device 2710 utilizing generic IMSI 2712 that is shared byother devices manufactured by the entity. In one or more embodiments,each of the devices sharing the generic IMSI 2712 can have uniqueidentification information (e.g., IMEI, GUTI, MAC address) and can alsoutilize their own secret keys for initiating and/or performing theregistration process (e.g., generating an SRES, RES or XRES). Asdescribed herein, this unique information can be provided to the networkso that the network can identify devices that are attempting to registerwith the network using the generic IMSI 2712.

In the example of system 2700, the identity proxy function 2750 canintercept or otherwise receive the generic IMSI 2712 such as in a firstregistration request which also includes the identification information(e.g., IMEI, GUTI, MAC address). In one or more embodiments, separatemessages can be utilized for delivering the generic IMSI 2712 and theunique device identification to the network. In another embodiment, asingle message (e.g., a registration request) can be utilized fordelivering the generic IMSI 2712 and the unique device identification tothe network, such as in different fields of the message.

In one embodiment, the identity proxy function 2750 can determine thatthe generic IMSI 2712 is a shared IMSI. In one or more embodiments, theidentity proxy function 2750 can identify (or confirm an identity of)the particular device requesting registration with the network based onvarious techniques. For example, the identity proxy function 2750 canhave access to a mapping of information including the generic IMSI 2712,the identification information and/or secret key information.

In another embodiment, identification of (or confirmation of theidentity of) the communication device 2710 can be based on simulating aregistration process and forcing a generation of an SRES, RES or XRES bythe communication device 2710, as described herein utilizingregistration simulation platform 675. For instance, the registrationsimulation platform 675 can simulate a registration of the communicationdevice 2710 and can identify the communication device from the secretkey and/or from other identification information (e.g., IMEI, GUTI, MACaddress).

In one embodiment, the identity proxy function 2750 and/or the identityprovisioning function 2799 can determine whether the communicationdevice 2710 is eligible for services. If the device 2710 is not eligiblefor services (e.g., suspension of services for non-payment or otherreasons, device/UICC is not compatible with network or services, and soforth) then the identity proxy function 2750 can cause or otherwisefacilitate or enable provisioning information to be provided (e.g., viathe identity provisioning function 2799) to the device 2710 to cause thedevice to disable its use of the generic IMSI 2712, such as via OTAmessaging using the simulated registration.

In one embodiment, if the communication device 2710 is eligible forservices then the identity provisioning function 2799 can implement areassignment of a new IMSI 2713 for the device 2710. The new IMSI 2713can be a full service IMSI which enables any services at thecommunication device for which the user of the device is subscribed. Inone embodiment, the new IMSI 2713 can be an IMSI that is not shared byany other device or any other UICC. In another embodiment, the new IMSI2713 can be a shared IMSI that is being shared by another device(s) thatis located in a different registration service area, such as describedwith respect to systems 1900 and 2000 of FIGS. 19 and 20. In oneembodiment, the communication device 2710 can continue to utilize itsoriginal secret key (which can be mapped to the communication device2710 by the network such as in an HLR or HSS according to the secret keymapping information).

As described herein, the registration simulation platform 675 can enablesending an OTA message to the communication device 2710 that can causethe modification of the device IMSI (e.g., storing the new IMSI 2713 ina UICC of the device 2710 and/or disabling use of the generic IMSI 2712by the device) and can cause the device to perform a re-registration tothe target network using the new IMSI 2713. In one embodiment, theidentity proxy function 2750 and/or the identity provisioning function2799 can provide instructions to the communication device 2710 thatcauses the communication device to initiate a re-registration utilizingthe re-assigned IMSI 2713. In one embodiment, the simulated registrationcan be performed by the registration simulation platform using thegeneric IMSI 2712 (without being performed by the registration function2760) and the second registration can be performed by the registrationfunction 2760 using the new IMSI 2713 (without being performed by theregistration simulation platform 675).

In one embodiment, the simulated registration can be performed based onmapping information that was received by the network from the equipment2701 of the entity. For example, the identity proxy function 2750 canhave access to mapping information that indicates what devices are usinga particular generic IMSI 2712 and further indicates the secret keybeing utilized by that particular device. Based on this information, theidentity proxy function 2750 can facilitate the generation of a RES,SRES, XRES utilizing the correct secret key so that a comparison can bemade to a received response which includes the RES, SRES, XRES generatedby the communication device 2710. In one embodiment, the equipment 2701of the entity can update the mapping information provided to the networkresponsive to additional manufacturing of device (e.g., additionalprovisioning of the generic IMSI 2712 and other secret keys to other IoTdevices).

Continuing with this example, the identity provisioning function 2799can notify various network elements (e.g., an HLR, AUC, EIR, HSS, and/orNSM) that the communication device 2710 is now associated with theparticular reassigned IMSI 2713. In one embodiment, this transmitting ofnetwork provisioning data can cause the HLR or HSS to delete (orotherwise note the change of) a generic IMSI assignment for thecommunication device 2710 and/or add the new IMSI assignment for thecommunication device 2710 in its database. In one embodiment, thisnotification can cause the HLR or the HSS to perform a database updatesuch as re-mapping to particular HLR records, adjusting mapping withrespect to MSISDNs, adjusting an identification of availablecommunication services that the subscriber has requested or isauthorized to utilize, adjusting GPRS settings to allow the subscriberto access packet services, and so forth.

FIG. 28 depicts an illustrative embodiment of a method 2800 used bysystems 2600 and 2700 for facilitating registration of communicationdevices and the reassignment of IMSIs. One or more of the steps ofmethod 2800 can be performed by an identity proxy function of a serviceprovider, an identity provisioning function of the service provider,equipment of a vendor or manufacturer and/or by other devices describedin FIGS. 2-6, 8-11, 13, 15, 17, 19-20, 22, 24 and 26-27. In one or moreembodiments, the entity and the service provider are distinct entities.

At 2802, a generic IMSI can be provided by the service provider to theentity so that the entity can provision UICCs and/or devices with thegeneric IMSI. In one embodiment, the provisioning of the UICCs and/ordevices can be part of a manufacturing process of the UICCs and/ordevices. Other information can be provisioned to the UICCs and/or deviceby equipment of the entity, such as a secret key for use in aregistration/authentication process (e.g., to generate a RES, SRES, XRESresponse). In one or more embodiments, the service provider can utilizedifferent generic IMSIs for different entities that manufacture and/orprovision UICCs and/or devices. In one or more embodiments, the serviceprovider can provide multiple generic IMSIs to a single entity for usein provisioning of the UICCs and/or devices. For instance, the entitycan apply different generic IMSIs to different types of UICCs and/ordevices. In another embodiment, the entity can apply different genericIMSIs to UICCs and/or devices that are expected to first register in asingle registration service area. By providing different generic IMSIs,this can reduce the likelihood of a registration problem that couldarise from two devices that attempt to register at the same time withthe same generic IMSI in the same registration service area.

At 2804, the entity (e.g., via equipment of the entity) can providemapping information to the network that is associated with the genericIMSI(s). For instance, the entity can transmit or otherwise provide thenetwork (e.g., the identity provisioning function) with mappinginformation that indexes the generic IMSI to a unique identification andto a secret key for each of a group of UICCs and/or devices. The mappinginformation can be updated as other UICCs and/or devices aremanufactured, provisioned, sold or are otherwise made ready to registerwith the network. In one or more embodiments, the information from theentity can include the IMSI and the secret key, and may include otherinformation.

At 2806, a generic IMSI can be intercepted or otherwise obtained by theidentity proxy function, such as in a registration request, and at 2808the identity proxy function can determine that the received IMSI is ageneric IMSI being shared among other UICCs and/or devices. If the IMSIwas not a generic IMSI then method 2800 can proceed to 2810 to registerthe device including performing an authentication utilizing thenon-generic IMSI. If on the other hand the IMSI is a generic IMSI,method 2800 can proceed to 2812 to confirm service eligibility.Eligibility for services can be based on various factors such assuspension of services for non-payment or other reasons, the device/UICCis not compatible with network or services, and so forth.

If the device or user is not eligible for service then at 2814 use ofthe generic IMSI at the device can be disabled. For example, OTAmessaging can be provided to the device that causes the device todisable the use of the generic IMSI. In one embodiment, the OTAmessaging can be enabled by simulating a registration (e.g., viaregistration simulation platform 675) using the generic IMSI and thendisabling the subsequent use of that generic IMSI by the device via theOTA messaging.

If on the other hand the device or user is eligible for service, then at2816 a new IMSI can be reassigned to the device via an OTA interface. Inone embodiment, the OTA messaging causes the device to store the newIMSI and causes the device to provide a second registration request tothe network that utilizes the new IMSI in order to complete theregistration at 2810.

In one embodiment, the generic IMSI can be a limited service orbootstrap IMSI that does not enable access to subscriber services butrather enables communicating with network elements (e.g., the identityproxy function). The new IMSI can be a full service IMSI that enablesaccess to any services that the user is subscribed to upon completion ofthe registration. In one or more embodiments, the OTA interface canutilize a transport key stored by the communication device.

While for purposes of simplicity of explanation, the respectiveprocesses are shown and described as a series of blocks in FIG. 28, itis to be understood and appreciated that the claimed subject matter isnot limited by the order of the blocks, as some blocks may occur indifferent orders and/or concurrently with other blocks from what isdepicted and described herein. Moreover, not all illustrated blocks maybe required to implement the methods described herein.

FIG. 29 depicts an illustrative embodiment of classifying IMSIs fordifferent devices according to mobility and/or device location. In oneor more embodiments, an IMSI can be assigned to different devices by anidentity provisioning function on a network device as described herein.These devices can be of the same or different types, such as a mobilephone 2905, an automobile 2910, and a package (e.g., to track delivery).Further, an IMSI can be assigned to different appliances such as awasher 2915, television, and security camera 2920. In addition, an IMSIcan be assigned to different utility meters such as a water meter 2925and an electric meter.

In one or more embodiments, each device associated with an IMSI can beclassified by the identity provisioning function according to devicetype, mobility type or roaming capability, device location, and/oractive level. In some embodiments, the identity provisioning functioncan reuse an IMSI assigned to one device and assign it also to anotherdevice according to one of a mobility type, device location, and/oractive level. Such reusable IMSIs can be generated or otherwise selectedby the identity provisioning function. Further, the reusable IMSIs canbe placed on a list of designated IMSIs provided by the identityprovisioning function to the identity proxy function.

In one or more embodiments, the identity provisioning function cananalyze the mobility type, location, and/or active level of a deviceassociated with an IMSI for possible reuse. In some embodiments, fromsuch analysis, the identity provisioning function can determine to reusean IMSI associated with a device having an inactive active level. Reuseof an IMSI from an inactive device may have a relatively low likelihoodto have a registration error (e.g. IMSI collision) as compared withreusing an IMSI from an active device. An IMSI collision is aregistration error that occurs in which two active devices with the sameIMSI attempt to register with the same registration function on anetwork device (e.g. register, Home Location Register (HLR), VisitorLocation Register (VLR), etc.). For example, if the identityprovisioning function assigns an IMSI to a first mobile phone where theIMSI is reused from an inactive second mobile phone (e.g., inactive dueto unpaid bills for a period of time exceeding a threshold of time),then the likelihood that the inactive mobile phone would be active againresulting in a registration error may be low. However, if the secondmobile phone is reactivated (e.g., the user has paid bills in full), andsecond mobile phone attempts to register its IMSI with the registrationfunction, an IMSI collision can occur. Such an IMSI collision orregistration error can be resolved or mitigated as described herein.

In or more embodiments, reusing an IMSI between two active devices withparticular mobility types and/or device locations can reduce thelikelihood of a registration error. The mobility types can describe therelative mobility or stationary nature of the device. In someembodiments, the mobility type can be fixed, transportable, and mobile.A device with a fixed mobility type is stationary and would not moveinto a different location during its use. Thus, such a device registerswith a registration function associated with its location and would notbe expected to move to another location to register with anotherregistration function. A device with a transportable mobility type isusually stationary at a particular location but may be moved to anotherstationary location during its use. For example, an appliance such as awasher or television can have a transportable mobility type. A devicewith a mobile mobility type can move from one location to another oftenduring its use. Devices such as mobile phones, automobiles and trackersthat are associated with package delivery can be associated with amobile mobility type.

In other embodiments, the list of designated IMSI for reuse can includethe entity associated with the device. For example, a first device isassociated with a first entity and a second device is associated with asecond entity. Further, devices associated with the first entity are ina first predefined area of locations and the devices associated with thesecond entity are in a second predefined area of locations separate fromthe first predefined area. Thus, a device in a first predefined area andassociated with the first entity would not move into the secondpredefined area associated with the second entity. The identityprovisioning function can reuse IMSIs from devices associated withdifferent entities to reduce the likelihood of a registration error.

In one example pertaining to selecting IMSI reuse according to mobilitytype and/or device location, an IMSI associated with an electric metermay be reused and assigned to the first mobile phone. The mobility typeof the electric meter can be fixed while mobile phone mobility type ismobile. In further embodiments, the device location of the first mobilephone can be used to assign a reused IMSI from a device that would notlikely create a registration error (e.g. IMSI collision). That is, ifthe electric meter is in Denver and the first mobile phone is inChicago, the likelihood of generating a registration error is lowbecause there is a low chance that the mobile device in Chicago canoverlap into the geographic area of the electric meter in Denver,thereby having a low likelihood in creating a registration error. Inother embodiments, the identity provisioning function and the identityproxy function can provision a reused IMSI from a fixed device (i.e., adevice with mobility type fixed) to a device such as an appliance with atransportable mobility type. Further, the fixed device may be in alocation that is different than the location of the transportabledevice. In some embodiments, the identity provisioning function selectsan IMSI for reuse, not only according to the mobility type of eachdevice, but also according to the location of each device. For example,the identity provisioning function can select an IMSI for reuseassociated with a fixed water meter in St. Louis and provision thereused IMSI to a transportable washer appliance located in Seattle. Theselection is made according to both the mobility type and location ofeach device because the likelihood that the washer is moved to the samelocation (e.g., St. Louis) as the fixed water meter to create aregistration error is low. In other embodiments, the identityprovisioning function can select an IMSI for reuse according to thedistance between two devices exceeding a predetermined threshold. Forthe example above with a fixed water meter in St. Louis and the washerappliance in Seattle, the predetermined threshold can be 1000 miles. Theidentity provisioning function can determine that the distance betweenfixed water meter and the washer appliance exceeds 1000 miles andthereby assigns the IMSI to both the fixed water meter and the washerappliance.

FIGS. 30-32 depict illustrative embodiments of reusing IMSIs accordingto mobility and location of different communication devices. Referringto FIG. 30, the system 3000 incorporates the functions discussed indescribing, inter alia, FIGS. 3, 4, 5, 6, 10, and 11. In one or moreembodiments, the identity provisioning function assigns a new device3005 with a reused IMSI that has been assigned to an old device 2930.The IMSI can be selected according to the mobility type and location ofboth the new device 3005 and the old device 2930. That is, for example,if each device has a transportable or fixed mobility type and eachdevice is in a different location, then the identity provisioningfunction can assign the IMSI of the old device to the new device suchthat there may be a low likelihood of a registration error/failure(e.g., an IMSI collision). If the old device and new device are bothstationary, and if each device is in a different location, then eachdevice would register their respective IMSIs at a different registrationfunction having different registration services areas. For example, theold device 2930 can be an electric meter with a fixed mobility type anda location in Boston. The new device 3005 can be a television appliancewith a transportable mobility type and location in San Diego. Theidentity provisioning function can determine that an old device 2930having a fixed mobility type and a new device 3005 having atransportable type would reduce the likelihood of a registration errordue to both devices registering at the same registration service area.That is, it is a low likelihood that the new device 3005 would move tothe same location as the old device 2930 to cause a registration error(e.g. IMSI collision). For such a registration error to occur, thehousehold having the television appliance 3005 would have to move withinthe same registration service area as the old device 2930 and attempt toregister its IMSI to the same registration function.

In some embodiments, the identity provisioning function can select theIMSI for reuse by determining the distance between the old device 2930and the new device 3005 in which one device has a fixed mobility type ora transportable mobility type. Further, the identity provisioningfunction can determine whether the distance between the old device 2930and the new device 3005 exceeds a predetermined threshold. If thedistance between the location of the old device 2930 and the new device3005 exceeds the predetermined threshold (e.g. 1500 miles), then theidentity provisioning function can assign, and thereby reuse, the IMSIof the old device 2935 to the new device 3005.

In one or more embodiments, at 3010, the identity provisioning functionnotifies the identity proxy function that is assigned the IMSI of theold device 2930 to the new device 3005. In some embodiments, theidentity provisioning function and the identity proxy function can be onseparate network devices. In other embodiments, the identityprovisioning function and the identity proxy function can be on the samenetwork device. Further, at 3015, the identity provisioning functionnotifies the registration function on a network device (e.g., HLR, VLR,etc.) that the IMSI of the old device 2930 is assigned to the new device3005. At some time, the new device 3005 sends a registration request tothe registration function. The registration request can be interceptedor otherwise obtained by the identity proxy function which can identifythat the IMSI assigned to the new device 3005 is being reused andoriginally assigned to the old device 2930. However, the identity proxyfunction can also determine that the old device is not registered withthis particular registration function, thereby no registration error(e.g. IMSI collision) can occur. Thus, at 3025, the identity proxyfunction relays the registration request to the registration function.At 3030, the registration function sends a message to the new device3005 that it is registered. The identity proxy function intercepts themessage and determines no registration error occurred (e.g., IMSIcollision). Responsive to this determination, the identity proxyfunction relays the message to the new device 3005.

Referring to FIG. 31, in one or more embodiments, the new device 3005,which is assigned an IMSI that was originally assigned to and currentlyused by the old device 2930, is transported to a location in proximity(e.g., within the same registration area) to the old device 2930.Further, the new device 3005 attempts to register with a registrationfunction (e.g., HLR, VLR, etc.). However, the old device 2930 hasalready registered the IMSI with the registration function. At 3105, thenew device 3005 sends a registration request to the registrationfunction. The identity proxy function intercepts the registrationrequest. Further, the identity proxy function determines that the newdevice 3005 has the same IMSI as the old device 2930 and the old devicehas registered its IMSI with the registration function; the sameregistration function that the new device 3005 has sent its registrationrequest. The identity proxy function determines that a registrationerror would occur if the registration request sent by the device is sentto the registration function. In response, at 3110, the identity proxyfunction sends the new device a message that indicates that registrationof its IMSI did not occur. Further, at 3115, the identity proxy functionnotifies the identity provisioning function that a registration errorhas occurred (or will occur) due to the new device and old device havingthe same IMSI and attempting to register with the same registrationfunction. In response, at 3120, the identity provisioning functionassigns a new IMSI to the new device 3005. Such a new IMSI can be from adesignated list of IMSIs that are available for reuse as describedherein. At 3125, the identity provisioning function can notify theregistration function of the new IMSI for the new device 3005, and, at3130, notify the identity proxy function of the new IMSI for the newdevice 3005.

In some embodiments, the mobility type of an old device is transportableand the mobility type of a new device is fixed. Further, the old deviceand the new device are in different locations and use the same IMSI. Ifthe old device is transported to the same registration service area asthe new device and attempts to register with the same registrationfunction as the new device, a registration error would occur. Such aregistration error can be resolved as described herein. Further, the olddevice and new device can each be of any mobility type but in differentlocations. In addition, if one device moves into the same registrationservice area of the other device and registers its IMSI with aregistration function, a registration error can occur. However, any suchregistration error can be resolved as described herein.

Referring to FIG. 32, in one or more embodiments, the new device 3005,which is assigned a reused IMSI that was originally assigned to andcurrently used by the old device 2930, is transported to the samelocation as the old device 2930. Thus, the new device 3005 attempts toregister with a registration function at a network device. However, theold device 2930 has already registered the IMSI with the registrationfunction. At 3105, the new device 3005 sends a registration request tothe registration function. The identity proxy function intercepts theregistration request. Although in some embodiments, the identity proxyfunction can determine that a registration error would occur by the newdevice registering with the registration function, the identity proxyfunction at 3207, relays the registration request to the registrationfunction, anticipating an error due to a registration error (e.g. IMSIcollision). The registration function, at 3210, transmits a registrationerror generated due to the old device and the new device sharing thesame IMSI (i.e., IMSI collision). The identity proxy function interceptsthe error message and at 3215, the identity proxy function sends the newdevice a message that indicates that its registration did not occur.Further, at 3220, the identity proxy function notifies the identityprovisioning function that the new device 3005 that a registration errorhas occurred due to the new device and old device having the same IMSIand attempting to register with the same registration function. Inresponse, at 3230, the identity provisioning function assigns a new IMSIto the new device 3005. Such a new IMSI can be from a designated list ofIMSIs that are available for reuse as described herein. At 3235, theidentity provisioning function can notify the registration function ofthe new IMSI for the new device 3005, and, at 3240, can notify theidentity proxy function of the new IMSI for the new device 3005.

FIG. 33 depicts an illustrative embodiment of a method 3300 that reusesIMSIs according to mobility and location of different communicationdevices. The method 3300 can include an identity provisioning functionon a network device, at 3302, generating and determining mobility typesfor devices assigned with IMSIs.

The identity provisioning function can, at 3304, receiving or generatinga list of designated IMSIs to be reassigned to devices. Further, themethod 3300 can include, at 3306, the identity provisioning functionclassifying each of the IMSIs according to one of the mobility types. Inaddition, the method 3300, can include the identity provisioningfunction, at 3308, receiving a request for an IMSI for a first deviceand determining, at 3310, a first mobility type and device location forthe first device. Also, the method 3300 can include the identityprovisioning function, at 3312, selecting a first IMSI from the list ofmultiple IMSIs according to the first mobility type and a secondmobility type and the device location of the first device and the devicelocation of the second device. The first IMSI is associated with asecond device which has a second mobility type and a second devicelocation as stored in the list of designated IMSIs for reuse. Further,the identity provisioning function selects the first IMSI according tothe first mobility type, first device location, the second mobilitytype, and/or the second device location to reduce a likelihood of aregistration error (e.g. IMSI collision). At 3314, the method 3300 caninclude the identity provisioning function assigning the first IMSI tothe first device. At 3316, the method 3300 can include the identityprovisioning function notifying a registration function that the firstIMSI is assigned to the first device.

The method 3300 can include the identity provisioning function, at 3318,receiving a request from the second device to register the first IMSIwith a registration function. If such a request is received by aregistration function, a registration error (e.g. IMSI collision) wouldoccur. Further, the method 3300 can include the identity provisioningfunction, at 3320, selecting a second IMSI for the second device fromthe multiple of IMSIs according to the second mobility type, a thirdmobility type, the second device location, and/or the third devicelocation. That is, the identity provisioning function is assigning anIMSI from the list of designated IMSI for reuse that is associated witha third device having a third mobility type and a third device location.The selected IMSI can be the second IMSI that is associated with a thirddevice. The identity provisioning function selects the second IMSIaccording to the second mobility type, the second device location, thethird mobility type, and/or the third device location to reduce alikelihood of another registration error (e.g. IMSI collision).

The method 3300 can include the identity provisioning function, at 3322,receiving a first error message, from a registration function,associated with the (first) registration error. Further, the identityprovisioning function can determine from the first error message thatthe second device is attempting to register the first IMSI. The method3300, can include the identity provisioning function, at 3324, selectinga second IMSI for the second device from the multiple of IMSIs accordingto the second mobility type, a third mobility type, the second devicelocation, and/or the third device location. That is, the identityprovisioning function is assigning an IMSI from the list of designatedIMSI for reuse that is associated with a third device having a thirdmobility type and a third device location. The selected IMSI can be thesecond IMSI that is associated with a third device. The identityprovisioning function selects the second IMSI according to the secondmobility type, the second device location, the third mobility type,and/or the third device location to reduce a likelihood of anotherregistration error (e.g. IMSI collision).

FIG. 34 depicts an illustrative embodiment of a device 3402 with an IMSIhaving multiple shared secret keys, k_(i). In one or more embodiments,the device 3402 can be associated with IMSI reuse information 3404 thatcan include the IMSI 3406, a device identifier such as an IMEI 3408,multiple unique identifiers 3410, multiple shared secret keys, k 3412,and multiple signed responses (SRESs) 3414 (or any other authenticationresponses). Each SRES is based on a shared secret key, k_(i) resultingin the multiple SRESs. Although in some embodiments IMSI reuseinformation 3404 includes an IMEI and unique identifiers based on theIMEI, other embodiments of the IMSI reuse information 3404 can includethe GUTI of the device 3402 and the unique identifiers can be based onthe GUTI. Further embodiments of the IMSI reuse information 3404 caninclude a unique identifier associated with each of multiple k_(i) thatis not based on IMEI or GUTI of the device 3402. In addition, eachunique identifier 3410, shared secret key, k_(i), and SRES_(i) can beassociated with a device profile 3416 of the device 3402. For example,the device 3402 can be provisioned with five different device profiles3416. The device 3402 can be shared between four different users, aparent, and three children. The device 3402 can be provisioned with aparent personal profile and a parent business profile as well as with adevice profile for each of the three children. A user of device 3402 canenable or select (e.g. based on received user-generated input) any ofthe device profiles provisioned on the device 3402. Thus, the device3402 can be used by more than user according to a particular deviceprofile.

In one or more embodiments, the device 3402 can be communicativelycoupled to a communication network. Network devices having aregistration function within the communication network can register thedevice 3402 by receiving a SRES_(i) and matching the SRES_(i) with anSRES generated by the registration function. In addition, a deviceprofile enabled on the device 3402 can be identified by the registrationfunction, directly or indirectly as described herein, according to thegenerated SRES matching the SRES_(i) provided by the device. Inadditional embodiments, the registration function can determine theshared secret key, k_(i), based on the SRES_(i). Also, registrationfunction can identify the device profile enabled or selected (e.g. basedon received user-generated input) on the device 3402 according to thedetermined shared secret key, k_(i). Further embodiments can include thenetwork services devices providing specific or particular services tothe device 3402 based on the identified device profile.

In one or more embodiments, the registration function, identity proxyfunction, or identity provisioning function can be provisioned with theentirety or a portion of the IMSI reuse information 3404. In addition,the registration function, identity proxy function, or identityprovisioning function can request a unique identifier responsive toreceiving the SRES_(i). Each can identify the device profile enabled bythe communication device according to the unique identifier. Further,one of the registration function, identity proxy function, or identityprovisioning function can provide specific or particular service for thedevice 3402 based on the identified device profile. For example, uponreceiving SRES₂ and/or IMEI-sub2, at least one of the registrationfunction, identity proxy function, or identity provisioning function candetermine that the SRES₂ and/or IMEI-sub2 is associated with a businessprofile of a user. Thus, the network devices can provide businessrelated services such as VPN services, security protections, and dataencryption. In another example, upon receiving SRES₁ and/or IMEI-sub1,the registration function, identity proxy function, or identityprovisioning function can determine that the SRES₁ and/or IMEI-sub1 isassociated with a personal profile of the user. Thus, the registrationfunction, identity proxy function, or identity provisioning function canprovide personal services such as streaming services, parental controls,and music distribution.

The device 3402 can be, but not limited to, a smartphone, mobile phone,tablet computer, sensor, Internet of Things (IoT) device, or any othercomputing device. Further IMSI reuse information 3404 can be stored in alook-up table and/or database in a network device or accessed by anetwork device to determine or identify associations among the IMSI3406, IMEI (or any other device identifier) 3408, unique identifier3410, shared secret key, k_(i), SRES_(i) 3412, and device profiles 3416.Although embodiments discuss the authentication response can be a signedresponse (SRES), the authentication response can be RES and XRES(expected response) as described herein.

FIG. 35 depicts an illustrative embodiment of a device registering forservices according to one of a multiple k_(i) of the device. The system3500 incorporates the functions discussed in describing, inter alia,FIGS. 3, 4, 5, 6, 10, and 11. In one or more embodiments, the identityprovisioning function assigns, at 3510, the device 3402 with IMSI reuseinformation 3404 including IMSI 3406 and a portion or all of IMSI reuseinformation 3420. In further embodiments, at 3512, the identityprovisioning function notifies the identity proxy function that IMSI3406 and IMSI reuse information 3404 is provisioned on device 3402. Sucha notification can include providing the IMSI to the identity proxyfunction by the identity provisioning function as well as possiblyproviding other portions or all of the IMSI reuse information. Thisnotifies the identity proxy function to allow a registration requestfrom the device that includes the IMSI to be passed through or relayedto the registration function. In some embodiments, without thisnotification, the identity proxy function may have been notified thatthe IMSI was shared among multiple devices and the identity proxyfunction would intercept the registration request to avoid a possibleregistration error. However, the notification provides information tothe identity proxy function that indicates there would be noregistration error if the registration request was allowed to be sent tothe registration function In additional embodiments, the identityprovisioning function notifies, at 3515, a first registration functionon a network device (e.g. HLR, HSS, etc.) that the device 3402 isassigned the IMSI 3406 as well as provisioned with the multiple k_(i).The identity provisioning function may also share the multiple k withthe first registration function or the first registration function maybe provided with the multiple k_(i) by other network devices. Inaddition, the first registration function can be provided by the deviceprofile associated with each of the multiple k_(i). The firstregistration function can provide, at 3517, the IMSI, portions of theIMSI reuse information, and the device profile associated with each ofthe multiple k_(i) to a second registration function (e.g. VLR, MME,etc.) for the device. The first registration function can also providethe generated authentication response, SRES_(i), for each of themultiple k_(i), each associated with a device profile. In someembodiments, the second registration function can be provided thegenerated authentication responses initially and then request the deviceprofile with the matched generated response from the first registrationfunction. That is, the second registration function sends a request forthe device profile with the matching generated authentication response.The first registration function identifies the device profile accordingto the matched generated authentication response, and provide the deviceprofile to the second registration function accordingly.

In some embodiments, the identity provisioning function and the identityproxy function can be on separate network devices. In other embodiments,the identity provisioning function and the identity proxy function canbe on the same network device. In some embodiments, the firstregistration function and the second registration function can be onseparate network devices and in other embodiments the first registrationfunction and the second registration function can be on the same networkdevice.

At 3520, the device 3402 sends a registration request to theregistration function. The registration request can be intercepted orotherwise obtained by the identity proxy function which can identify theIMSI 3406 assigned to the device 3402. At 3525, the identity proxyfunction relays the registration request to the second registrationfunction. As part of the registration process, the second registrationfunction can generate or otherwise obtain an authentication responsebased on each of the multiple k_(i) resulting in multiple generatedauthentication responses. Further, the registration request can includea device authentication response. Note, the registration request cancomprises one or more messages exchanged among the device, identityproxy function and the second registration function.

In one or more embodiments, the second registration function comparesthe device authentication response to each of the generatedauthentication responses. Further, the second registration functionidentifies a generated authentication response that matches the deviceauthentication response. In addition, the second registration functioncan identify or determine the device profile associated with theidentified generated authentication response. Identifying the deviceprofile can include determining the k_(i) associated with the identifiedgenerated authentication response and the determining the device profileassociated with the k_(i).

In response to the device authentication response matching one of themultiple generated authentication responses, at 3530, the secondregistration function sends a message to the device 3402 that theregistration function has confirmed the registration of device 3402. Theidentity proxy function relays the message to the device 3402, at 3531.

In some embodiments, the identity proxy function can intercept theregistration request and simulate a registration. Further, the firstregistration function can provide the IMSI, portions of the IMSI reuseinformation and the device profile associated with each of the multiplek_(i) to identity proxy function. In further embodiments, the identityproxy function can simulate the registration of the device. The identityproxy function can compare the device authentication response to each ofthe generated authentication responses. Further, the identity proxyfunction identifies a generated authentication response that matches thedevice authentication response. In addition, the identity proxy functioncan identify or determine the device profile associated with theidentified generated authentication response. Identifying the deviceprofile can include determining the k_(i) associated with the identifiedgenerated authentication response and the determining the device profileassociated with the k_(i). The identity proxy function can notify theidentity provisioning function that the identity proxy functionsimulating a registration for a device that has an IMSI that is sharedamong different device profiles. Further, the identity provisioningfunction may provision another IMSI on the device and the firstregistration function and/or second registration function. In addition,the device can re-register with the first registration function and/orsecond registration function with the newly provisioned IMSI. However,the services network device is notified by the identity proxy functionor identity provisioning function that the device has enabled with aparticular device profile so that the services network device canprovide services to the device according to the device profile.

In one or more embodiments, at 3532, the second registration functionsends a notification to the identity provisioning function indicatingthat the identity proxy function has received an authenticationresponse, SRES₂. In additional embodiments, the first registration candetermine the device profile and notify the identity provision function.That is, the second registration function provides the matched generatedauthentication response to the first registration function and the firstregistration function identifies the device profile according to thegenerated authentication response. In further embodiments, where theidentity proxy function has simulated a registration, the identity proxyfunction can provide the identity provisioning function with theauthenticated response, SRES₂. In some embodiments, the identityprovisioning function can identify the particular device profile enabledon the device 3402 according to the SRES₂. In other embodiments, theidentity provisioning function can determine, identify, or otherwiseobtain a shared secret key, k₂, from SRES₂ then determine the particulardevice profile enabled on the device 3402 according to the shared secretkey k₂. In further embodiments, the notification from the secondregistration function can indicate the device profile associated withSRES₂.

In one or more embodiments, the IMSI reuse information 3404 can bestored in a database. Associations among the shared secret key k₂ anddevice profile can be determined by accessing the IMSI reuse informationaccording to the shared secret key, k₂ used to generate the SRES₂ fromthe database, by any network device in the network including, but notlimited to the identity proxy function, identity provisioning function,first registration function, and second registration function.

Responsive to obtaining or determining the device profile, andidentifying that the device profile for business services, at 3535, theidentity provisioning function can deliver the identified device profileto a business services network device 3504 or provide a notification tothe business services network device 3504 that device 3502 has enabledthe particular device profile associated with SRES₂. In someembodiments, the notification can be provided by another network devicethat is notified, directly or indirectly, by the second registrationfunction, identity proxy function, and/or identity provisioningfunction. Further, the business network device may provide businessservices according to the device profile, at 3540. For example, thebusiness services network device 3504 can set up a virtual privatenetwork to the device 3502 over a communication network according to thedevice profile. In another example, the business services network device3504 can initiate configuration of the device 3502 to receive businessemails securely over the communication network according to the deviceprofile. In some embodiments, the network can point all traffic to theservices network device directed toward or received from the device toprovide services according to the device profile.

In some embodiments, functions described for the identity provisioningfunction can be also be implemented by the identity proxy function. Inother embodiments, functions described for the identity proxy functioncan also be implemented by the identity provisioning function. Infurther embodiments, the first registration function may receive aregistration request from the device and perform the functions by thesecond registration function described herein.

FIG. 36 depicts an illustrative embodiment of a device registering forservices according to one of a multiple shared secret keys, k_(i), ofthe device 3402. The system 3600 incorporates the functions discussed indescribing, inter alia, FIGS. 3, 4, 5, 6, 10, and 11.

In one or more embodiments, the identity provisioning function assigns,at 3603, the device 3402 with IMSI 3406 and with IMSI reuse information3404 including a portion or all of the IMSI reuse information 3418. Inadditional embodiments, the identity provisioning function notifies, at3605, multiple registration functions (e.g. HLR, VLR, HSS, MME, etc.)that the device 3402 is assigned the IMSI 3406 as well as provisionedthe multiple k_(i). That is, a first registration function can benotified of the IMSI and k₁, a second registration function can benotified of the IMSI and k₂, a third registration function can benotified of the IMSI and k₃, a fourth registration function can benotified of the IMSI and k₄, and a fifth registration function can benotified of the IMSI and k₅. The identity provisioning function may alsoshare the k_(i) with an associated registration function or theregistration functions may be provided with the multiple k_(i) by othernetwork devices. Each of the registration functions can be on separatenetwork devices or some or all of the registration functions can be on asame device such that each of the registration function can be a virtualregistration function.

In one or more embodiments, the identity provisioning function, at 3608,notifies the identity proxy function of the IMSI for the device and thatthe IMSI is associated with multiple device profiles. In someembodiments, the identity provisioning function may provide the identityproxy function with a unique identity associated with a device profilethat can be selected by the user of the device 3402. Further, theidentity provisioning function can provide steering information to theidentity proxy function to steer a registration request from the deviceto one of the multiple registration functions according to a uniqueidentifier. For example, if the identity proxy function receives aunique identifier, IMEI-sub 3, then the steering function forwards theregistration request for the device to a third registration function.

In one or more embodiments, the identity proxy function, at 3610, mayreceive a registration request from the device. In some embodiments, theregistration request may include a unique identifier associated with adevice profile. In other embodiments, the identity proxy function candetermine according to the IMSI included in the registration requestthat the device has more than one device profile. The identity proxyfunction can send a request to the device for the unique identifierassociated with the enabled device profile. In response, the device canprovide the unique identifier to the identity proxy function. A steeringfunction, at 3615, can send the registration request to one of themultiple registration functions according to the unique identifier. Forexample, the device may be enabled or user selected to have personalprofile for a child 3421. Such a profile is associated with the IMSI ofthe device and the IMEI as well as the unique identifier IMEI-sub 3(based on the IMEI), k₃, and SRES₃ (signed authentication response). Theidentity proxy function steers the registration function, at 3615,according to the unique identifier to the third registration function.Further, the third registration function sends, at 3620, a registrationconfirmation for the device to the identity proxy function. The identityproxy function relays the registration confirmation, at 3625, to thedevice. Further, the identity proxy function, at 3630, sends anotification to the identity provisioning function that the device hasenabled or user-selected a third device profile according to the uniqueidentifier, IMEI-sub 3. In addition, the identity provisioning functionsends, at 3635, a notification to a personal services network device3602 to provide personal services to the device. At 3640, the personalservices network device 3602 provides personal services to the device.For example, the personal services network device 3602 can providestreaming media services to the device 3402 over a communicationnetwork. In another example, the personal services network device 3602can initiate configuration of the device 3402 to receive music filesover the communication network. In a further example, the personalservices network device 3602 can institute parental controls, filters,software, programs, applications, etc.

In some embodiments, functions described for the identity provisioningfunction can be also be implemented by the identity proxy function. Inother embodiments, functions described for the identity proxy functioncan also be implemented by the identity provisioning function.

FIG. 37A depicts an illustrative embodiment of a method 3700 that usesmultiple shared secret keys, _(ki), associated with an IMSI of a device.The method 3700 can be implemented by a network device or a group ofnetwork devices that can include the identity proxy function, identityprovisioning function, one or more registration functions, and serviceprovision functions (e.g. networks devices that provide personal orbusiness services). In one or more embodiments, the method 3700, at3702, can include the identity provisioning function provisioning acommunication device with multiple device profiles as well as an IMSIand IMSI reuse information and provides instructions to thecommunication device to associate each of the multiple device profileswith the IMSI. Further, the method 3700 can include, at 3704, a networkdevice receiving an international mobile subscriber identity (IMSI) andmultiple secret keys associated with the IMSI. In some embodiments, thenetwork device can include a registration function (e.g. HLR, HSS). Inother embodiments, the network device having the registration functioncan receive the IMSI and the multiple secret keys from an identityprovisioning function. Each of the multiple secret keys is associatedwith a device profile resulting in multiple device profiles.

In addition, the method 3700 can include, at 3706, a registrationfunction obtaining a generated authentication response for each of themultiple secret keys resulting in multiple generated authenticationresponses. In some embodiments, the registration function can generatethe multiple authentication responses. In other embodiments, theregistration function can obtain the multiple authentication responsesfrom another network device. Also, the method 3700 can include, at 3708,the registration function associating each of the multiple, generatedauthentication responses with each of the multiple device profiles. Thiscan be done through storing the generated authentication response witheach of the multiple device profiles in a table or database. The method3700 can include the registration function, at 3710, receiving aregistration request from the communication device. The registrationrequest can include a device authentication response. In someembodiments, the registration request can be more than one message andone of these messages can include the device authentication response.Further, the method 3700 can include the registration function, at 3712,comparing the device authentication response to the each of the multiplegenerated authentication responses. In addition, the method 3700 caninclude the registration function identifying, at 3714, that the deviceauthentication response matches a first generated authenticationresponse. The first generated authentication response is one of themultiple generated authentication responses. Also, the method 3700 caninclude, at 3716, the registration function identifying a first deviceprofile associated with the first generated authentication response. Thefirst device profile can be one of the multiple device profiles. In someembodiments, the steps above 3702-3716, can be implemented by anyregistration function (e.g. HLR, VLR, HSS, MME, etc.). In someembodiments, the method 3700 can include the registration functionnotifying, at 3726, a server, or network services device, to provideservices to the communication device according to the first deviceprofile. In other embodiments, the registration function can notify, at3724, an identity provisioning function that the communication device isregistering with first device profile and the identity provisioningfunction can notify, at 3726, a server, or network services device, toprovide services to the communication device according to the firstdevice profile. In further embodiments, the registration function can bean MME or VLR and notifies the HSS or HLR the identified device profile.In some embodiments, the server or network services device is providedthe first device profile. In other embodiments, the server or networkservices device is provided an indication of the first device profile.The server or networks services device can provide services to thecommunication device according to the first device profile.

In one or more embodiments, the registration function can determine thefirst device profile according to method 3700. Further, method 3700 canrequest and receive a unique identifier associated with the first deviceprofile from the communication device. In addition, the method 3700 caninclude an identity provisioning function, at 3718, receiving the uniqueidentifier from the registration function. The method 3700 can include,prior to receiving the unique identifier and provisioning thecommunication device, the identity provisioning function, at 3720,associating each of a multiple unique identifiers to each of themultiple device profiles. Further, the method 3700 can include theidentity provisioning function, at 3722, identifying the first deviceprofile according the received unique identifier. Subsequently, themethod 3700 can include the identity provisioning function notifying, at3726, a server or network services device of the first device profile.(e.g. enabled or selected by the communication device baseduser-generated input through a user interface). For example, if thefirst device profile is a business profile, the network services devicecan provide VPN services, business email services, or data encryptionservices to the communication device. In another example, if the firstdevice profile is a personal profile, the network services device canprovide streaming media services, music distribution services, orparental controls to the communication device.

FIG. 37B depicts an illustrative embodiment of a method 3750 that usesmultiple shared secret keys, k_(i) associated with an IMSI of a device.The method 3700 can be implemented by a network device or a group ofnetwork devices that can include the identity proxy function, identityprovisioning function, one or more registration functions, and serviceprovision functions (e.g. networks devices that provide personal orbusiness services). The method 3750 can include, at 3752, the identityprovisioning function provisioning a communication device with an IMSI,multiple device profiles, and multiple secret keys. The identityprovisioning function can also provide instructions to the communicationdevice to associate each of the plurality of device profiles with theIMSI. Each of the plurality of secret keys are associated with each ofthe plurality of device profiles. Also, the communication device canassociate a device authentication response generated from each secretkey with a device profile. Further, method 3750 can include, at 3754,the identity provisioning function provisions each of multipleregistration functions with the IMSI provisioned on the communicationdevice and one of multiple secret keys. In some embodiments, eachregistration function is provisioned with a device profile associatedwith the provision secret key. In addition, the method 3750 can include,at 3756, the identity proxy function receiving an IMSI and multipleunique identifiers from an identity provisioning function. Each of themultiple unique identifiers are associated with a registration functionfrom the multiple registration functions. Also, the method 3750 caninclude, at 3758, the identity proxy function obtaining a registrationrequest from a communication device. The registration request includes afirst unique identifier of the multiple unique identifiers. In someembodiments, the registration request can be an exchange of severalmessages between the identity proxy function and the communicationdevice. The method 3750 can include, at 3760, steering the registrationrequest to a first registration function of the multiple registrationfunctions according to the first unique identifier. In furtherembodiments, prior to sending the registration request, thecommunication device enables a first device profile. The communicationdevice selects a first secret key of multiple secret keys according tothe first device profile and the communication device generates a deviceauthentication response based on the first secret key. The communicationdevice sends the device authentication response to the firstregistration function. The identity proxy function can receive a deviceauthentication from the communication device and forward the deviceauthentication to the first registration function. In other embodiments,the first registration function receives a first secret key from themultiple secret keys from a network device. The first registrationfunction can generate a first authentication response based on the firstsecret key. Further, the first registration function matches the firstauthentication response with the device authentication response.Accordingly, the first registration function confirms the registration.In additional embodiments, the identity proxy function can receive aregistration confirmation message from the first registration functionand forward the registration confirmation to the communication device.

Further, the method 3750 can include, at 3762, providing the firstunique identifier to the identity provisioning function either from theidentity proxy function or the first registration function. In addition,the method 3750, at 3764, the identity provisioning function identifiesa first device profile according to the first unique identifier. In someembodiments, the first device profile is identified by the registrationfunction and provided to the identity provisioning function. Also, themethod 3750 can include, a 3766, the identity provisioning functionnotifying a network services device that the communication device hasenabled a first device profile. The method 3750 can include, at 3768,the network services device to provide services to the communicationdevice according to the first device profile.

FIG. 38 depicts an exemplary diagrammatic representation of a machine inthe form of a computer system 3800 within which a set of instructions,when executed, may cause the machine to perform any one or more of themethods described above. One or more instances of the machine canoperate, for example, as the identity proxy functions 250, 850, 1050,1350, 2250, 2450, 2650, 2750, the identity provisioning functions 350,899, 1099, 1399, 1599, 1999, 2299, 2499, 2599, 2699, the steeringfunctions 1575, and/or other network elements (e.g., MSC/VLR, HLR, MME,HSS) or end user devices for switching between a generic IMSI and a fullservice IMSI, facilitating the use of the same IMSI by multiple devices,intercepting authentication requests, determining a particular devicethat is utilizing a shared IMSI, intercepting other messages such asregistration requests or error messages, determining identities ofdevices, and/or managing the use and reassignment of the IMSIs,including through the use of a bootstrap IMSI, and so forth. In someembodiments, the machine may be connected (e.g., using a network 3826)to other machines. In a networked deployment, the machine may operate inthe capacity of a server or a client user machine in a server-clientuser network environment, or as a peer machine in a peer-to-peer (ordistributed) network environment.

The machine may comprise a server computer, a client user computer, apersonal computer (PC), a tablet, a smart phone, a laptop computer, adesktop computer, a control system, a network router, switch or bridge,or any machine capable of executing a set of instructions (sequential orotherwise) that specify actions to be taken by that machine. It will beunderstood that a communication device of the subject disclosureincludes broadly any electronic device that provides voice, video ordata communication. Further, while a single machine is illustrated, theterm “machine” shall also be taken to include any collection of machinesthat individually or jointly execute a set (or multiple sets) ofinstructions to perform any one or more of the methods discussed herein.

The computer system 3800 may include a processor (or controller) 3802(e.g., a central processing unit (CPU)), a graphics processing unit(GPU, or both), a main memory 3804 and a static memory 3806, whichcommunicate with each other via a bus 3808. The computer system 3800 mayfurther include a display unit 3810 (e.g., a liquid crystal display(LCD), a flat panel, or a solid state display). The computer system 3800may include an input device 3812 (e.g., a keyboard), a cursor controldevice 3814 (e.g., a mouse), a disk drive unit 3816, a signal generationdevice 3818 (e.g., a speaker or remote control) and a network interfacedevice 3820. In distributed environments, the embodiments described inthe subject disclosure can be adapted to utilize multiple display units3810 controlled by two or more computer systems 3800. In thisconfiguration, presentations described by the subject disclosure may inpart be shown in a first of the display units 3810, while the remainingportion is presented in a second of the display units 3810.

The disk drive unit 3816 may include a tangible computer-readablestorage medium 3822 on which is stored one or more sets of instructions(e.g., software 3824) embodying any one or more of the methods orfunctions described herein, including those methods illustrated above.The instructions 3824 may also reside, completely or at least partially,within the main memory 3804, the static memory 3806, and/or within theprocessor 3802 during execution thereof by the computer system 3800. Themain memory 3804 and the processor 3802 also may constitute tangiblecomputer-readable storage media.

Dedicated hardware implementations including, but not limited to,application specific integrated circuits, programmable logic arrays andother hardware devices can likewise be constructed to implement themethods described herein. Application specific integrated circuits andprogrammable logic array can use downloadable instructions for executingstate machines and/or circuit configurations to implement embodiments ofthe subject disclosure. Applications that may include the apparatus andsystems of various embodiments broadly include a variety of electronicand computer systems. Some embodiments implement functions in two ormore specific interconnected hardware modules or devices with relatedcontrol and data signals communicated between and through the modules,or as portions of an application-specific integrated circuit. Thus, theexample system is applicable to software, firmware, and hardwareimplementations.

In accordance with various embodiments of the subject disclosure, theoperations or methods described herein are intended for operation assoftware programs or instructions running on or executed by a computerprocessor or other computing device, and which may include other formsof instructions manifested as a state machine implemented with logiccomponents in an application specific integrated circuit or fieldprogrammable gate array. Furthermore, software implementations (e.g.,software programs, instructions, etc.) including, but not limited to,distributed processing or component/object distributed processing,parallel processing, or virtual machine processing can also beconstructed to implement the methods described herein. Distributedprocessing environments can include multiple processors in a singlemachine, single processors in multiple machines, and/or multipleprocessors in multiple machines. It is further noted that a computingdevice such as a processor, a controller, a state machine or othersuitable device for executing instructions to perform operations ormethods may perform such operations directly or indirectly by way of oneor more intermediate devices directed by the computing device.

While the tangible computer-readable storage medium 3822 is shown in anexample embodiment to be a single medium, the term “tangiblecomputer-readable storage medium” should be taken to include a singlemedium or multiple media (e.g., a centralized or distributed database,and/or associated caches and servers) that store the one or more sets ofinstructions. The term “tangible computer-readable storage medium” shallalso be taken to include any non-transitory medium that is capable ofstoring or encoding a set of instructions for execution by the machineand that cause the machine to perform any one or more of the methods ofthe subject disclosure. The term “non-transitory” as in a non-transitorycomputer-readable storage includes without limitation memories, drives,devices and anything tangible but not a signal per se.

The term “tangible computer-readable storage medium” shall accordinglybe taken to include, but not be limited to: solid-state memories such asa memory card or other package that houses one or more read-only(non-volatile) memories, random access memories, or other re-writable(volatile) memories, a magneto-optical or optical medium such as a diskor tape, or other tangible media which can be used to store information.Accordingly, the disclosure is considered to include any one or more ofa tangible computer-readable storage medium, as listed herein andincluding art-recognized equivalents and successor media, in which thesoftware implementations herein are stored.

Although the present specification describes components and functionsimplemented in the embodiments with reference to particular standardsand protocols, the disclosure is not limited to such standards andprotocols. Each of the standards for Internet and other packet switchednetwork transmission (e.g., TCP/IP, UDP/IP, HTML, HTTP) representexamples of the state of the art. Such standards are from time-to-timesuperseded by faster or more efficient equivalents having essentiallythe same functions. Wireless standards for device detection (e.g.,RFID), short-range communications (e.g., Bluetooth®, WiFi, Zigbee), andlong-range communications (e.g., WiMAX, GSM, CDMA, LTE) can be used bycomputer system 3800. In one or more embodiments, information regardinguse of services can be generated including services being accessed,media consumption history, user preferences, and so forth. Thisinformation can be obtained by various methods including user input,detecting types of communications (e.g., video content vs. audiocontent), analysis of content streams, and so forth. The generating,obtaining and/or monitoring of this information can be responsive to anauthorization provided by the user. In one or more embodiments, ananalysis of data can be subject to authorization from user(s) associatedwith the data, such as an opt-in, an opt-out, acknowledgementrequirements, notifications, selective authorization based on types ofdata, and so forth.

The illustrations of embodiments described herein are intended toprovide a general understanding of the structure of various embodiments,and they are not intended to serve as a complete description of all theelements and features of apparatus and systems that might make use ofthe structures described herein. Many other embodiments will be apparentto those of skill in the art upon reviewing the above description. Theexemplary embodiments can include combinations of features and/or stepsfrom multiple embodiments. Other embodiments may be utilized and derivedtherefrom, such that structural and logical substitutions and changesmay be made without departing from the scope of this disclosure. Figuresare also merely representational and may not be drawn to scale. Certainproportions thereof may be exaggerated, while others may be minimized.Accordingly, the specification and drawings are to be regarded in anillustrative rather than a restrictive sense.

Although specific embodiments have been illustrated and describedherein, it should be appreciated that any arrangement which achieves thesame or similar purpose may be substituted for the embodiments describedor shown by the subject disclosure. The subject disclosure is intendedto cover any and all adaptations or variations of various embodiments.Combinations of the above embodiments, and other embodiments notspecifically described herein, can be used in the subject disclosure.For instance, one or more features from one or more embodiments can becombined with one or more features of one or more other embodiments. Inone or more embodiments, features that are positively recited can alsobe negatively recited and excluded from the embodiment with or withoutreplacement by another structural and/or functional feature. The stepsor functions described with respect to the embodiments of the subjectdisclosure can be performed in any order. The steps or functionsdescribed with respect to the embodiments of the subject disclosure canbe performed alone or in combination with other steps or functions ofthe subject disclosure, as well as from other embodiments or from othersteps that have not been described in the subject disclosure. Further,more than or less than all of the features described with respect to anembodiment can also be utilized.

Less than all of the steps or functions described with respect to theexemplary processes or methods can also be performed in one or more ofthe exemplary embodiments. Further, the use of numerical terms todescribe a device, component, step or function, such as first, second,third, and so forth, is not intended to describe an order or functionunless expressly stated so. The use of the terms first, second, thirdand so forth, is generally to distinguish between devices, components,steps or functions unless expressly stated otherwise. Additionally, oneor more devices or components described with respect to the exemplaryembodiments can facilitate one or more functions, where the facilitating(e.g., facilitating access or facilitating establishing a connection)can include less than every step needed to perform the function or caninclude all of the steps needed to perform the function.

In one or more embodiments, a processor (which can include a controlleror circuit) has been described that performs various functions. Itshould be understood that the processor can be multiple processors,which can include distributed processors or parallel processors in asingle machine or multiple machines. The processor can be used insupporting a virtual processing environment. The virtual processingenvironment may support one or more virtual machines representingcomputers, servers, or other computing devices. In such virtualmachines, components such as microprocessors and storage devices may bevirtualized or logically represented. The processor can include a statemachine, application specific integrated circuit, and/or programmablegate array including a Field PGA. In one or more embodiments, when aprocessor executes instructions to perform “operations”, this caninclude the processor performing the operations directly and/orfacilitating, directing, or cooperating with another device or componentto perform the operations.

The Abstract of the Disclosure is provided with the understanding thatit will not be used to interpret or limit the scope or meaning of theclaims. In addition, in the foregoing Detailed Description, it can beseen that various features are grouped together in a single embodimentfor the purpose of streamlining the disclosure. This method ofdisclosure is not to be interpreted as reflecting an intention that theclaimed embodiments require more features than are expressly recited ineach claim. Rather, as the following claims reflect, inventive subjectmatter lies in less than all features of a single disclosed embodiment.Thus the following claims are hereby incorporated into the DetailedDescription, with each claim standing on its own as a separately claimedsubject matter.

What is claimed is:
 1. A device, comprising: a processing systemincluding a processor; and a memory that stores executable instructionsthat, when executed by the processing system, facilitate performance ofoperations, comprising: receiving a registration request associated witha communication device, wherein the registration request includes adevice authentication response; comparing the device authenticationresponse to a plurality of generated authentication responses;determining that the device authentication response matches a generatedauthentication response among the plurality of generated authenticationresponses; and notifying a server to provide services to thecommunication device according to a device profile associated with thegenerated authentication response.
 2. The device of claim 1, wherein theoperations comprise receiving an international mobile subscriberidentity (IMSI) and a generated authentication response for each of aplurality of secret keys resulting in the plurality of generatedauthentication responses.
 3. The device of claim 2, wherein thereceiving of the IMSI and the plurality of generated authenticationresponses comprises receiving of the IMSI and the plurality of generatedauthentication responses from a registration function.
 4. The device ofclaim 2, wherein the receiving of the IMSI and a plurality of secretkeys comprises receiving of the IMSI and the plurality of secret keysfrom an identity provisioning function.
 5. The device of claim 1,wherein the operations comprise associating each of the plurality ofgenerated authentication responses with each of a plurality of deviceprofiles.
 6. The device of claim 1, wherein the notifying of the servercomprises notifying an identity provisioning function of the deviceprofile, wherein the server obtains an indication of the device profilefrom the identity provisioning function.
 7. The device of claim 6,wherein the operations further comprise receiving a unique identifierfrom the communication device, wherein the unique identifier isassociated with the device profile, and wherein the notifying of theidentity provisioning function of the device profile comprises sendingthe unique identifier to the identity provisioning function, wherein theidentity provisioning function associates each of a plurality of deviceprofiles with each of a plurality of unique identifiers, and wherein theidentity provisioning function identifies the device profile accordingto the unique identifier.
 8. The device of claim 1, wherein the deviceprofile is one of a group of device profiles for the communicationdevice, and wherein the group of device profiles indicate differentusers.
 9. A method, comprising: receiving, by a processing systemincluding a processor, a registration request associated with acommunication device, wherein the registration request includes a deviceauthentication response; comparing, by the processing system, the deviceauthentication response to a plurality of generated authenticationresponses; determining, by the processing system, that the deviceauthentication response matches a generated authentication responseamong the plurality of generated authentication responses; andnotifying, by the processing system, a server to provide services to thecommunication device according to a device profile associated with thegenerated authentication response, wherein the notifying of the servercomprises notifying an identity provisioning function of the deviceprofile, wherein the server obtains an indication of the device profilefrom the identity provisioning function.
 10. The method of claim 9,further comprising receiving, by the processing system, an internationalmobile subscriber identity (IMSI) and a generated authenticationresponse for each of a plurality of secret keys resulting in theplurality of generated authentication responses.
 11. The method of claim10, wherein the receiving of the IMSI and the plurality of generatedauthentication responses comprises receiving of the IMSI and theplurality of generated authentication responses from a registrationfunction.
 12. The method of claim 10, wherein the receiving of the IMSIand a plurality of secret keys comprises receiving of the IMSI and theplurality of secret keys from an identity provisioning function.
 13. Themethod of claim 9, further comprising associating each of the pluralityof generated authentication responses with each of a plurality of deviceprofiles.
 14. The method of claim 9, further comprising receiving, bythe processing system, a unique identifier from the communicationdevice, wherein the unique identifier is associated with the deviceprofile, and wherein the notifying of the identity provisioning functionof the device profile comprises sending the unique identifier to theidentity provisioning function, wherein the identity provisioningfunction associates each of a plurality of device profiles with each ofa plurality of unique identifiers, and wherein the identity provisioningfunction identifies the device profile according to the uniqueidentifier.
 15. The method of claim 9, wherein the device profile is oneof a group of device profiles for the communication device, and whereinthe group of device profiles indicate different users.
 16. Anon-transitory machine-readable storage medium, comprising executableinstruction that, when executed by a processing system including aprocessor, facilitate performance of operations, comprising: receiving aregistration request associated with a communication device, wherein theregistration request includes a device authentication response;comparing the device authentication response to a plurality of generatedauthentication responses; determining that the device authenticationresponse matches a generated authentication response among the pluralityof generated authentication responses; and notifying a server to provideservices to the communication device according to a device profileassociated with the generated authentication response, wherein thenotifying of the server comprises notifying an identity provisioningfunction of the device profile, wherein the server obtains an indicationof the device profile from the identity provisioning function, whereinthe device profile is one of a group of device profiles for thecommunication device, and wherein the group of device profiles indicatedifferent users.
 17. The method of claim 16, further comprisingreceiving, by the processing system, an international mobile subscriberidentity (IMSI) and a generated authentication response for each of aplurality of secret keys resulting in the plurality of generatedauthentication responses.
 18. The method of claim 17, wherein thereceiving of the IMSI and the plurality of generated authenticationresponses comprises receiving of the IMSI and the plurality of generatedauthentication responses from a registration function.
 19. The method ofclaim 17, wherein the receiving of the IMSI and a plurality of secretkeys comprises receiving of the IMSI and the plurality of secret keysfrom an identity provisioning function.
 20. The method of claim 16,further comprising associating each of the plurality of generatedauthentication responses with each of a plurality of device profiles.